From 57f3e462733bd7dbfea3c123c7e2ba507e721c0b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 7 Mar 2023 12:14:48 +0100 Subject: [PATCH] chg: [sigma] updated --- clusters/sigma-rules.json | 35538 ++++++++++++++++++++++-------------- 1 file changed, 21981 insertions(+), 13557 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 432ac2b..456e59b 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -37,6 +37,29 @@ "attack.t1557" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", "value": "Juniper BGP Missing MD5" }, @@ -61,6 +84,15 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fab0ddf0-b8a9-4d70-91ce-a20547209afb", "value": "Network Scans Count By Destination Port" }, @@ -126,6 +158,15 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4601eaec-6b45-4052-ad32-2d96d26ce0d8", "value": "Network Scans Count By Destination IP" }, @@ -174,8 +215,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -197,8 +238,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -232,10 +273,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://core.telegram.org/bots/faq", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -310,8 +351,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -417,8 +458,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -460,8 +501,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -708,6 +749,13 @@ ] }, "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ @@ -715,12 +763,54 @@ ], "type": "related-to" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", @@ -771,6 +861,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", @@ -940,6 +1037,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -971,6 +1075,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", "value": "Cisco Disabling Logging" }, @@ -1043,6 +1156,15 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", "value": "Cisco Sniffing" }, @@ -1109,6 +1231,13 @@ ] }, "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ @@ -1180,6 +1309,29 @@ "attack.t1557" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50e606bf-04ce-4ca7-9d54-3449494bbd4b", "value": "Cisco LDP Authentication Failures" }, @@ -1211,6 +1363,29 @@ "attack.t1557" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56fa3cd6-f8d6-4520-a8c7-607292971886", "value": "Cisco BGP Authentication Failures" }, @@ -1242,6 +1417,29 @@ "attack.t1557" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a557ffe6-ac54-43d2-ae69-158027082350", "value": "Huawei BGP Authentication Failures" }, @@ -1290,6 +1488,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", "value": "Publicly Accessible RDP Service" }, @@ -1314,6 +1521,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", "value": "Kerberos Network Traffic RC4 Ticket Encryption" }, @@ -1330,9 +1546,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], @@ -1510,8 +1726,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -1686,6 +1902,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1b3a22a-45e6-4004-afb5-4291f9c21166", "value": "Suspicious PsExec Execution - Zeek" }, @@ -1702,8 +1927,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/Maka8ka/NGLite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -1736,6 +1961,15 @@ "attack.t1547.004" ] }, + "related": [ + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", "value": "MITRE BZAR Indicators for Persistence" }, @@ -1752,8 +1986,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], @@ -1762,6 +1996,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", "value": "SMB Spoolss Name Piped Usage" }, @@ -1789,6 +2032,22 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66a0bdc6-ee04-441a-9125-99d2eb547942", "value": "Domain User Enumeration Network Recon 01" }, @@ -1847,12 +2106,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://github.com/corelight/CVE-2021-1675", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/corelight/CVE-2021-1675", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1909,6 +2168,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", "value": "First Time Seen Remote Named Pipe - Zeek" }, @@ -1975,10 +2243,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -2019,8 +2287,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -2040,6 +2308,39 @@ "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", "value": "Django Framework Exceptions" }, + { + "description": "Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable." + ], + "filename": "nodejs_rce_exploitation_attempt.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "nodejs", + "refs": [ + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "97661d9d-2beb-4630-b423-68985291a8af", + "value": "Potential RCE Exploitation Attempt In NodeJS" + }, { "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "meta": { @@ -2048,13 +2349,13 @@ "falsepositive": [ "Application bugs" ], - "filename": "appframework_spring_exceptions.yml", + "filename": "spring_application_exceptions.yml", "level": "medium", "logsource.category": "application", "logsource.product": "spring", "refs": [ "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/appframework_spring_exceptions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_application_exceptions.yml" ], "tags": [ "attack.initial_access", @@ -2073,6 +2374,40 @@ "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "value": "Spring Framework Exceptions" }, + { + "description": "Detects potential SpEL Injection exploitation, which may lead to RCE.", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Application bugs" + ], + "filename": "spring_spel_injection.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "spring", + "refs": [ + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e9edd087-89d8-48c9-b0b4-5b9bb10896b8", + "value": "Potential SpEL Injection In Spring Framework" + }, { "description": "Generic rule for SQL exceptions in Python according to PEP 249", "meta": { @@ -2106,13 +2441,183 @@ "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "value": "Python SQL Exceptions" }, + { + "description": "Detects potential OGNL Injection exploitation, which may lead to RCE.\nOGNL is an expression language that is supported in many JVM based systems.\nOGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)\n", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Application bugs" + ], + "filename": "java_ognl_injection_exploitation_attempt.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "jvm", + "refs": [ + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2017.5638", + "cve.2022.26134" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4d0af518-828e-4a04-a751-a7d03f3046ad", + "value": "Potential OGNL Injection Exploitation In JVM Based Application" + }, + { + "description": "Detects potential local file read vulnerability in JVM based apps.\nIf the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.\n", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Application bugs" + ], + "filename": "java_local_file_read.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "jvm", + "refs": [ + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_local_file_read.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e032f5bc-4563-4096-ae3b-064bab588685", + "value": "Potential Local File Read Vulnerability In JVM Based Application" + }, + { + "description": "Detects process execution related exceptions in JVM based apps, often relates to RCE", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Application bugs" + ], + "filename": "java_rce_exploitation_attempt.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "jvm", + "refs": [ + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_rce_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d65f37da-a26a-48f8-8159-3dde96680ad2", + "value": "Process Execution Error In JVM Based Application" + }, + { + "description": "Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE." + ], + "filename": "java_xxe_exploitation_attempt.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "jvm", + "refs": [ + "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://rules.sonarsource.com/java/RSPEC-2755", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c4e06896-e27c-4583-95ac-91ce2279345d", + "value": "Potential XXE Exploitation Attempt In JVM Based Application" + }, + { + "description": "Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Application bugs" + ], + "filename": "java_jndi_injection_exploitation_attempt.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "jvm", + "refs": [ + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bb0e9cec-d4da-46f5-997f-22efc59f3dca", + "value": "Potential JNDI Injection Exploitation In JVM Based Application" + }, { "description": "Detects SQL error messages that indicate probing for an injection attack", "meta": { "author": "Bjoern Kimminich", "creation_date": "2017/11/27", "falsepositive": [ - "Application bugs" + "A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case." ], "filename": "app_sqlinjection_errors.yml", "level": "high", @@ -2154,8 +2659,8 @@ "refs": [ "http://guides.rubyonrails.org/action_controller_overview.html", "http://edgeguides.rubyonrails.org/security.html", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2188,10 +2693,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2199,6 +2704,15 @@ "attack.discovery" ] }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", "value": "SharpHound Recon Account Discovery" }, @@ -2215,9 +2729,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], @@ -2241,10 +2755,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2267,10 +2781,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2303,10 +2817,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2316,6 +2830,13 @@ ] }, "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ @@ -2340,9 +2861,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], @@ -2351,6 +2872,15 @@ "attack.discovery" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", "value": "Possible DCSync Attack" }, @@ -2391,10 +2921,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2404,6 +2934,13 @@ ] }, "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ @@ -2428,9 +2965,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -2471,10 +3008,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2484,6 +3021,13 @@ ] }, "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ @@ -2509,11 +3053,11 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2537,15 +3081,24 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", "value": "SharpHound Recon Sessions" }, @@ -2562,10 +3115,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2588,10 +3141,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2614,9 +3167,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], @@ -2625,6 +3178,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", "value": "Remote Registry Lateral Movement" }, @@ -2641,10 +3203,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2667,9 +3229,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2680,6 +3242,41 @@ "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", "value": "Remote Schedule Task Recon via AtScv" }, + { + "description": "Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.", + "meta": { + "author": "Moti Harmats", + "creation_date": "2023/02/11", + "falsepositive": [ + "Application bugs", + "Missing .vm files" + ], + "filename": "velocity_ssti_injection.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "velocity", + "refs": [ + "https://antgarsil.github.io/posts/velocity/", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "16c86189-b556-4ee8-b4c7-7e350a195a4f", + "value": "Potential Server Side Template Injection In Velocity" + }, { "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", "meta": { @@ -2726,11 +3323,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2764,8 +3361,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2911,8 +3508,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2945,9 +3542,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3077,6 +3674,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "value": "Malware Shellcode in Verclsid Target Process" }, @@ -3193,9 +3799,9 @@ "logsource.product": "windows", "refs": [ "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3229,10 +3835,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3267,11 +3873,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3305,11 +3911,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3384,6 +3990,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", "value": "Potential Shellcode Injection" }, @@ -3517,8 +4132,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3552,8 +4167,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], @@ -3605,6 +4220,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", @@ -3623,9 +4245,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3807,8 +4429,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -3817,6 +4439,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "value": "CobaltStrike Named Pipe Patterns" }, @@ -3833,8 +4464,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3843,6 +4474,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "value": "CobaltStrike Named Pipe Pattern Regex" }, @@ -3917,10 +4557,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/253", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -3929,6 +4569,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "value": "CobaltStrike Named Pipe" }, @@ -3945,8 +4594,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "Internal Research", "https://attack.mitre.org/groups/G0010/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -3980,7 +4629,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" ], "tags": [ @@ -4102,7 +4752,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -4135,8 +4786,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4170,8 +4821,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4180,6 +4831,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", "value": "EfsPotato Named Pipe" }, @@ -4207,6 +4867,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -4231,17 +4898,17 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://github.com/RiccardoAncarani/LiquidSnake", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], @@ -4251,6 +4918,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "value": "Malicious Named Pipe" }, @@ -4267,8 +4943,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4302,9 +4978,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://o365blog.com/post/adfs/", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", - "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4448,6 +5124,28 @@ "uuid": "5570c4d9-8fdd-4622-965b-403a5a101aa0", "value": "Firewall Rule Modified In The Windows Firewall Exception List" }, + { + "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", + "meta": { + "author": "frack113", + "creation_date": "2023/02/26", + "falsepositive": [ + "Any legitimate application that runs from the AppData user directory" + ], + "filename": "win_firewall_as_add_rule_susp_folder.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" + ], + "tags": "No established tags" + }, + "uuid": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", + "value": "New Firewall Exception Rule Added For A Suspicious Folder" + }, { "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", "meta": { @@ -4468,7 +5166,7 @@ "value": "The Windows Defender Firewall Service Failed To Load Group Policy" }, { - "description": "Detects when a singe rules or all of the rules have been deleted from the Windows Defender Firewall", + "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", "meta": { "author": "frack113", "creation_date": "2022/02/19", @@ -4620,6 +5318,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -4653,6 +5358,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, @@ -4716,6 +5430,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", "value": "Multiple Users Failing to Authenticate from Single Process" }, @@ -4769,8 +5492,8 @@ "logsource.product": "windows", "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -4778,9 +5501,54 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "value": "ISO Image Mount" }, + { + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_delete_or_disable.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "value": "Important Scheduled Task Deleted/Disabled" + }, { "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "meta": { @@ -4804,6 +5572,13 @@ ] }, "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -4839,6 +5614,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -4928,6 +5710,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "value": "Suspicious PsExec Execution" }, @@ -4979,45 +5770,17 @@ "attack.privilege_escalation" ] }, - "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", - "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM" - }, - { - "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", - "meta": { - "author": "Arun Chauhan", - "creation_date": "2021/10/04", - "falsepositive": [ - "Red team activity", - "Rare legitimate use by an administrator" - ], - "filename": "win_security_lolbas_execution_of_nltest.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/software/S0359/", - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1018", - "attack.t1016" - ] - }, "related": [ { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", - "value": "Correct Execution of Nltest.exe" + "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", + "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM" }, { "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", @@ -5032,8 +5795,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5041,6 +5804,15 @@ "attack.t1012" ] }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "value": "Azure AD Health Monitoring Agent Registry Keys Access" }, @@ -5113,8 +5885,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5135,33 +5907,6 @@ "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", "value": "Persistence and Execution at Scale via GPO Scheduled Task" }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/01/10", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "6309ffc4-8fa2-47cf-96b8-a2f72e58e538", - "value": "Failed NTLM Logins with Different Accounts from Single Source System" - }, { "description": "Alerts on Metasploit host's authentications on the domain.", "meta": { @@ -5183,6 +5928,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", "value": "Metasploit SMB Authentication" }, @@ -5212,6 +5966,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", "value": "Invalid Users Failing To Authenticate From Source Using Kerberos" }, @@ -5251,11 +6014,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5268,6 +6031,13 @@ ] }, "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -5281,6 +6051,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "24549159-ac1b-479c-8175-d42aea947cae", @@ -5331,9 +6108,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5353,6 +6130,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -5385,6 +6169,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", "value": "Impacket PsExec Execution" }, @@ -5410,6 +6203,15 @@ "attack.s0111" ] }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", "value": "Defrag Deactivation - Security" }, @@ -5435,6 +6237,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "value": "Remote Service Activity via SVCCTL Named Pipe" }, @@ -5462,6 +6273,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -5486,8 +6304,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], @@ -5516,33 +6334,18 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", "value": "Access to ADMIN$ Share" }, - { - "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", - "meta": { - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", - "creation_date": "2020/05/11", - "falsepositive": [ - "Exclude known DCs." - ], - "filename": "win_security_global_catalog_enumeration.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_global_catalog_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ] - }, - "uuid": "619b020f-0fd7-4f23-87db-3f51ef837a34", - "value": "Enumeration via the Global Catalog" - }, { "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "meta": { @@ -5566,6 +6369,15 @@ "attack.t1550.002" ] }, + "related": [ + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", "value": "Pass the Hash Activity 2" }, @@ -5582,8 +6394,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], @@ -5699,6 +6511,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", "value": "Register new Logon Process by Rubeus" }, @@ -5731,6 +6552,13 @@ ] }, "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "tags": [ @@ -5738,6 +6566,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ @@ -5769,8 +6604,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], @@ -5779,6 +6614,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", "value": "DCERPC SMB Spoolss Named Pipe" }, @@ -5806,6 +6650,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -5842,6 +6693,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ @@ -5873,7 +6731,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -5946,6 +6806,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "value": "First Time Seen Remote Named Pipe" }, @@ -5970,6 +6839,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" }, @@ -5986,15 +6864,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -6089,7 +6967,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" ], "tags": [ @@ -6122,8 +7000,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], @@ -6144,34 +7022,6 @@ "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "value": "Suspicious LDAP-Attributes Used" }, - { - "description": "Detects a single user failing to authenticate to multiple users using explicit credentials.", - "meta": { - "author": "Mauricio Velazco, Zach Mathis", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_explicit_credentials.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", - "value": "Password Spraying via Explicit Credentials" - }, { "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", "meta": { @@ -6185,7 +7035,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" ], "tags": [ @@ -6293,9 +7143,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6328,7 +7178,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" ], "tags": [ @@ -6373,6 +7223,29 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc", "value": "External Remote SMB Logon from Public IP" }, @@ -6425,7 +7298,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" ], "tags": [ @@ -6442,6 +7315,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", @@ -6460,9 +7340,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Live environment caused by malware", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6504,6 +7384,22 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "value": "NetNTLM Downgrade Attack" }, @@ -6532,12 +7428,26 @@ ] }, "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", @@ -6598,6 +7508,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", "value": "RDP Login from Localhost" }, @@ -6634,36 +7553,6 @@ "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, - { - "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n\"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\n", - "meta": { - "author": "Dimitrios Slamaris", - "creation_date": "2017/06/09", - "falsepositive": "No established falsepositives", - "filename": "win_security_susp_samr_pwset.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_samr_pwset.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ] - }, - "related": [ - { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", - "value": "Possible Remote Password Change Through SAMR" - }, { "description": "Detection of logins performed with WMI", "meta": { @@ -6733,6 +7622,20 @@ ], "type": "related-to" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ @@ -6768,6 +7671,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -6779,40 +7689,6 @@ "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "value": "Invoke-Obfuscation STDIN+ Launcher - Security" }, - { - "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", - "meta": { - "author": "Vasiliy Burov, oscd.community", - "creation_date": "2020/10/16", - "falsepositive": [ - "Software uninstallation", - "Files restore activities" - ], - "filename": "win_security_susp_multiple_files_renamed_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "related": [ - { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", - "value": "Suspicious Multiple File Rename Or Delete Occurred" - }, { "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", "meta": { @@ -6826,8 +7702,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" ], "tags": [ @@ -6868,6 +7744,15 @@ "attack.t1027.001" ] }, + "related": [ + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", "value": "Failed Code Integrity Checks" }, @@ -6926,6 +7811,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "value": "Suspicious Outbound Kerberos Connection - Security" }, @@ -6950,6 +7844,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", "value": "Suspicious Remote Logon with Explicit Credentials" }, @@ -6977,6 +7880,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -6988,34 +7898,6 @@ "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "value": "Invoke-Obfuscation CLIP+ Launcher - Security" }, - { - "description": "Detects a source system failing to authenticate against a remote host with multiple users.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_remote_logons_single_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "add2ef8d-dc91-4002-9e7e-f2702369f53a", - "value": "Multiple Users Remotely Failing To Authenticate From Single Source" - }, { "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "meta": { @@ -7040,6 +7922,13 @@ ] }, "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ @@ -7075,6 +7964,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -7158,8 +8054,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Flangvik/status/1283054508084473861", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -7168,6 +8064,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "value": "Sysmon Channel Reference Deletion" }, @@ -7259,7 +8164,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" ], "tags": [ @@ -7292,7 +8197,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" ], "tags": [ @@ -7336,6 +8241,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -7367,6 +8279,15 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'" }, @@ -7391,6 +8312,15 @@ "attack.t1547.009" ] }, + "related": [ + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", "value": "Windows Network Access Suspicious desktop.ini Action" }, @@ -7440,8 +8370,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/topotam/PetitPotam", - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7474,8 +8404,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7483,6 +8413,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f63508a0-c809-4435-b3be-ed819394d612", "value": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -7510,6 +8449,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -7534,8 +8480,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7611,8 +8557,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -7620,6 +8566,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", "value": "Suspicious Kerberos RC4 Ticket Encryption" }, @@ -7636,7 +8591,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" ], "tags": [ @@ -7679,6 +8634,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", "value": "Windows Defender Exclusion Set" }, @@ -7703,6 +8667,15 @@ "attack.t1039" ] }, + "related": [ + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", "value": "Suspicious Access to Sensitive File Extensions" }, @@ -7735,6 +8708,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", @@ -7753,9 +8733,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": "No established tags" @@ -7776,7 +8756,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" ], "tags": [ @@ -7837,78 +8817,6 @@ "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, - { - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_scheduled_task_delete.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "value": "Important Scheduled Task Deleted/Disabled" - }, - { - "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/03/23", - "falsepositive": [ - "Software installation", - "Software updates" - ], - "filename": "win_security_rare_schtasks_creations.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "car.2013-08-001", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", - "value": "Rare Schtasks Creations" - }, { "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", "meta": { @@ -7922,7 +8830,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" ], "tags": [ @@ -7930,6 +8838,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", "value": "Protected Storage Service Access" }, @@ -7979,8 +8896,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -8022,6 +8939,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", "value": "Denied Access To Remote Desktop" }, @@ -8058,33 +8984,6 @@ "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "value": "HybridConnectionManager Service Installation" }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/01/10", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "e98374a6-e2d9-4076-9b5c-11bdb2569995", - "value": "Failed Logins with Different Accounts from Single Source System" - }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "meta": { @@ -8109,6 +9008,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -8141,6 +9047,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "value": "AD Privileged Users or Groups Reconnaissance" }, @@ -8157,7 +9072,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -8211,9 +9128,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -8248,6 +9165,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos" }, @@ -8264,16 +9190,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8283,6 +9209,13 @@ ] }, "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ @@ -8307,7 +9240,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", + "https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" ], "tags": [ @@ -8318,6 +9251,13 @@ ] }, "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "tags": [ @@ -8342,7 +9282,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", + "https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" ], "tags": [ @@ -8350,6 +9290,15 @@ "attack.t1012" ] }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "value": "SysKey Registry Keys Access" }, @@ -8429,6 +9378,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", @@ -8447,8 +9403,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8456,6 +9412,15 @@ "attack.t1012" ] }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", "value": "Azure AD Health Service Agents Registry Keys Access" }, @@ -8484,6 +9449,29 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", "value": "External Remote RDP Logon from Public IP" }, @@ -8576,6 +9564,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "value": "Weak Encryption Enabled and Kerberoast" }, @@ -8602,6 +9599,13 @@ ] }, "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ @@ -8680,8 +9684,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8689,6 +9693,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", "value": "SMB Create Remote File Admin Share" }, @@ -8714,6 +9727,15 @@ "attack.t1123" ] }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", "value": "Processes Accessing the Microphone and Webcam" }, @@ -8807,6 +9829,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", "value": "AD User Enumeration" }, @@ -8823,8 +9854,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", + "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], @@ -8867,6 +9898,15 @@ "attack.t1550.002" ] }, + "related": [ + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", "value": "Successful Overpass the Hash Attempt" }, @@ -8883,9 +9923,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8918,8 +9958,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -8953,9 +9993,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -8968,6 +10008,20 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -9046,10 +10100,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9096,6 +10150,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", "value": "Disabled Users Failing To Authenticate From Source Using Kerberos" }, @@ -9124,6 +10187,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", "value": "Valid Users Failing to Authenticate from Single Source Using NTLM" }, @@ -9152,6 +10224,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", "value": "Account Tampering - Suspicious Failed Logon Reasons" }, @@ -9236,8 +10317,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9248,6 +10329,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", "value": "Win Susp Computer Name Containing Samtheadmin" }, @@ -9311,6 +10401,20 @@ ] }, "related": [ + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ @@ -9370,7 +10474,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", + "https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" ], "tags": [ @@ -9380,6 +10484,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ @@ -9412,6 +10523,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "value": "NTLM Brute Force" }, @@ -9428,8 +10548,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://goo.gl/PsqrhT", "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9437,6 +10557,15 @@ "attack.t1550.002" ] }, + "related": [ + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", "value": "NTLM Logon" }, @@ -9488,8 +10617,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -9621,8 +10750,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_restriction_policies_block.yml" ], "tags": [ @@ -9630,6 +10759,15 @@ "attack.t1072" ] }, + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "value": "Restricted Software Access By SRP" }, @@ -9734,8 +10872,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -9866,6 +11004,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "6c82cf5c-090d-4d57-9188-533577631108", @@ -9909,9 +11054,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9944,11 +11089,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nullsec.us/windows-event-log-audit-cve/", "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -10106,9 +11251,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10119,23 +11264,23 @@ "value": "MSSQL Disable Audit Settings" }, { - "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/03/17", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/05", "falsepositive": [ - "Software installation" + "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], - "filename": "win_taskscheduler_rare_schtask_creation.yml", - "level": "low", + "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml" + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml" ], "tags": [ "attack.persistence", - "attack.s0111", "attack.t1053.005" ] }, @@ -10148,11 +11293,44 @@ "type": "related-to" } ], - "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", - "value": "Rare Scheduled Task Creations" + "uuid": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", + "value": "Scheduled Task Executed Uncommon LOLBIN" }, { - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_taskscheduler_execution_from_susp_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", + "value": "Scheduled Task Executed From A Suspicious Location" + }, + { + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "frack113", "creation_date": "2023/01/13", @@ -10181,39 +11359,7 @@ } ], "uuid": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", - "value": "Suspicious Security Scheduled Tasks Deleted" - }, - { - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_taskscheduler_susp_task_locations.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", - "value": "Suspicious Scheduled Tasks Locations" + "value": "Important Scheduled Task Deleted" }, { "description": "Detects plugged/unplugged USB devices", @@ -10237,6 +11383,15 @@ "attack.t1200" ] }, + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "value": "USB Device Plugged" }, @@ -10277,8 +11432,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -10301,8 +11456,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml" ], "tags": [ @@ -10355,32 +11510,6 @@ "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "value": "Block Load Of Revoked Driver" }, - { - "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", - "meta": { - "author": "Fabian Franz", - "creation_date": "2022/08/30", - "falsepositive": [ - "Legitimate administrative activity", - "Faulty scripts" - ], - "filename": "win_susp_failed_hidden_share_mount.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", - "https://twitter.com/moti_b/status/1032645458634653697", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" - ], - "tags": [ - "attack.t1021.002", - "attack.lateral_movement" - ] - }, - "uuid": "1c3be8c5-6171-41d3-b792-cab6f717fcdb", - "value": "Failed Mounting of Hidden Share" - }, { "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", "meta": { @@ -10394,9 +11523,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -10404,6 +11533,15 @@ "attack.t1110.001" ] }, + "related": [ + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", "value": "Suspicious Rejected SMB Guest Logon From IP" }, @@ -10443,9 +11581,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://winaero.com/enable-openssh-server-windows-10/", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" @@ -10455,6 +11593,15 @@ "attack.t1021.004" ] }, + "related": [ + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "value": "OpenSSH Server Listening On Socket" }, @@ -10471,9 +11618,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10541,9 +11688,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -10555,7 +11702,7 @@ "value": "Standard User In High Privileged Group" }, { - "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", + "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/16", @@ -10591,8 +11738,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10600,6 +11747,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", "value": "Microsoft Defender Tamper Protection Trigger" }, @@ -10625,6 +11781,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", "value": "Windows Defender Threat Detection Disabled" }, @@ -10726,6 +11891,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", "value": "Windows Defender Exclusions Added" }, @@ -10774,6 +11948,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "value": "Windows Defender Exploit Guard Tamper" }, @@ -10856,8 +12039,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -10865,6 +12048,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "801bd44f-ceed-4eb6-887c-11544633c0aa", "value": "Windows Defender Suspicious Configuration Changes" }, @@ -10889,6 +12081,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "value": "Win Defender Restored Quarantine File" }, @@ -10906,8 +12107,8 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], @@ -11078,9 +12279,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -11114,8 +12315,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -11149,8 +12350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -11171,28 +12372,37 @@ "value": "Ngrok Usage with Remote Desktop Service" }, { - "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/08", "falsepositive": [ "Unknown" ], - "filename": "win_dns_server_susp_dns_config.yml", + "filename": "win_dns_server_susp_server_level_plugin_dll.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ "attack.defense_evasion", "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, @@ -11220,6 +12430,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -11255,6 +12472,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -11279,8 +12503,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -11329,6 +12553,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", "value": "New Service Uses Double Ampersand in Path" }, @@ -11354,6 +12587,15 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", "value": "Windows Pcap Drivers" }, @@ -11380,6 +12622,13 @@ ] }, "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -11458,6 +12707,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", "value": "New PDQDeploy Service - Client Side" }, @@ -11494,32 +12752,6 @@ "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "value": "Windows Update Error" }, - { - "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/03/08", - "falsepositive": [ - "Software installation", - "Software updates" - ], - "filename": "win_system_rare_service_installs.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rare_service_installs.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ] - }, - "uuid": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", - "value": "Rare Service Installations" - }, { "description": "Detects PAExec service installation", "meta": { @@ -11577,6 +12809,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -11612,6 +12851,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -11702,9 +12948,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -11717,6 +12963,20 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -11773,9 +13033,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -11783,6 +13043,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "value": "DHCP Server Loaded the CallOut DLL" }, @@ -11810,6 +13079,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -11868,8 +13144,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -11901,8 +13177,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -11946,6 +13222,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -11979,6 +13262,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", "value": "Moriya Rootkit - System" }, @@ -12040,6 +13332,13 @@ ] }, "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -12072,6 +13371,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System" }, @@ -12099,6 +13407,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -12131,6 +13446,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", "value": "New PDQDeploy Service - Server Side" }, @@ -12156,6 +13480,15 @@ "attack.s0363" ] }, + "related": [ + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "value": "NTLMv1 Logon Between Client and Server" }, @@ -12181,6 +13514,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", "value": "Service Installation in Suspicious Folder" }, @@ -12240,6 +13582,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -12356,6 +13705,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", "value": "Windows Defender Threat Detection Disabled - Service" }, @@ -12415,6 +13773,13 @@ ] }, "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -12448,6 +13813,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "value": "Turla PNG Dropper Service" }, @@ -12474,6 +13848,15 @@ "attack.t1499.001" ] }, + "related": [ + { + "dest-uuid": "0df05477-c572-4ed6-88a9-47c581f548f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "value": "NTFS Vulnerability Exploitation" }, @@ -12499,6 +13882,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "value": "Turla Service Install" }, @@ -12551,9 +13943,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -12561,6 +13953,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", "value": "DHCP Server Error Failed Loading the CallOut DLL" }, @@ -12609,6 +14010,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "value": "Suspicious Service Installation Script" }, @@ -12667,6 +14077,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", "value": "Suspicious Service Installation" }, @@ -12725,6 +14144,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", "value": "StoneDrill Service Install" }, @@ -12871,6 +14299,20 @@ ], "type": "related-to" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ @@ -12939,6 +14381,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -12974,6 +14423,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -13009,6 +14465,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -13099,8 +14562,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" ], "tags": [ @@ -13143,6 +14606,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "value": "Service Installation with Suspicious Folder Pattern" }, @@ -13190,6 +14662,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", "value": "Exploit SamAccountName Spoofing with Kerberos" }, @@ -13206,8 +14687,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -13272,6 +14753,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "value": "Unsigned Binary Loaded From Suspicious Location" }, @@ -13296,6 +14786,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "value": "Microsoft Defender Blocked from Loading Unsigned DLL" }, @@ -13312,8 +14811,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13514,8 +15013,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -13549,8 +15048,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -13621,11 +15120,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13643,6 +15142,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ @@ -13667,10 +15173,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -13693,10 +15199,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -13719,10 +15225,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -13733,7 +15239,7 @@ "value": "Suspicious Remote AppX Package Locations" }, { - "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", + "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/11", @@ -13745,10 +15251,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -13771,8 +15277,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -13795,9 +15301,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -13820,8 +15326,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -13852,6 +15358,15 @@ "attack.t1070" ] }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "value": "Remove Exported Mailbox from Exchange Webserver" }, @@ -13909,6 +15424,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", "value": "Exchange Set OabVirtualDirectory ExternalUrl Property" }, @@ -13999,6 +15523,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7bc7038-638b-4ffd-880c-292c692209ef", "value": "Certificate Request Export to Exchange Webserver" }, @@ -14023,6 +15556,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "516376b4-05cd-4122-bae0-ad7641c38d48", "value": "Mailbox Export to Exchange Webserver" }, @@ -14101,49 +15643,14 @@ "falsepositive": [ "Unknown" ], - "filename": "create_stream_hash_susp_domain_ext_combo.yml", - "level": "high", - "logsource.category": "create_stream_hash", - "logsource.product": "windows", - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ] - }, - "related": [ - { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "value": "Suspicious File Download from File Sharing Domain" - }, - { - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "create_stream_hash_susp_domain_ext_combo_med.yml", + "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml", "level": "medium", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ "attack.defense_evasion", @@ -14161,7 +15668,7 @@ } ], "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", - "value": "Unusual File Download from File Sharing Domain" + "value": "Unusual File Download From File Sharing Websites" }, { "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", @@ -14187,10 +15694,45 @@ "uuid": "573df571-a223-43bc-846e-3f98da481eca", "value": "Creation Of a Suspicious ADS File Outside a Browser Download" }, + { + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml", + "level": "high", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "value": "Suspicious File Download From File Sharing Websites" + }, { "description": "Detects the download of suspicious file type from URLs with IP", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022/09/07", "falsepositive": [ "Unknown" @@ -14201,6 +15743,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -14255,7 +15798,7 @@ "value": "Hacktool Download" }, { - "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", + "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", "meta": { "author": "Florian Roth (Nextron Systems), @0xrawsec", "creation_date": "2018/06/03", @@ -14286,7 +15829,7 @@ } ], "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "value": "Executable in ADS" + "value": "Hidden Executable In NTFS Alternate Data Stream" }, { "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", @@ -14342,6 +15885,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", "value": "RedMimicry Winnti Playbook Registry Manipulation" }, @@ -14367,6 +15919,22 @@ "attack.t1123" ] }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", "value": "Suspicious Camera and Microphone Access" }, @@ -14384,9 +15952,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -14422,8 +15990,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://persistence-info.github.io/Data/recyclebin.html", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -14431,6 +15999,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", "value": "Registry Persistence Mechanisms in Recycle Bin" }, @@ -14482,8 +16059,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -14517,9 +16094,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -14562,6 +16139,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", "value": "Suspicious Run Key from Download" }, @@ -14587,6 +16173,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "value": "Run Once Task Configuration in Registry" }, @@ -14646,6 +16241,22 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "value": "Disable Security Events Logging Adding Reg Key MiniNt" }, @@ -14768,6 +16379,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70d43542-cd2d-483c-8f30-f16b436fd7db", "value": "Leviathan Registry Key Activity" }, @@ -14793,6 +16413,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "value": "OceanLotus Registry Activity" }, @@ -14809,8 +16438,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -14853,6 +16482,22 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "value": "NetNTLM Downgrade Attack - Registry" }, @@ -14869,8 +16514,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -14881,6 +16526,15 @@ "car.2014-11-008" ] }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", "value": "Sticky Key Like Backdoor Usage - Registry" }, @@ -14938,6 +16592,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", "value": "Narrator's Feedback-Hub Persistence" }, @@ -14962,6 +16625,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "value": "Registry Entries For Azorult Malware" }, @@ -15014,8 +16686,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -15023,6 +16695,15 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", "value": "Windows Registry Trust Record Modification" }, @@ -15039,8 +16720,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -15057,6 +16738,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", @@ -15083,6 +16771,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "value": "Wdigest CredGuard Registry Modification" }, @@ -15107,6 +16804,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", "value": "WINEKEY Registry Modification" }, @@ -15189,10 +16895,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -15209,6 +16915,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", @@ -15235,6 +16948,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5118765f-6657-4ddb-a487-d7bd673abbf1", "value": "FlowCloud Malware" }, @@ -15341,6 +17063,20 @@ ], "type": "related-to" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ @@ -15386,39 +17122,6 @@ "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "value": "Pandemic Registry Key" }, - { - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/26", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_delete_removal_index_value_scheduled_task_hide.yml", - "level": "medium", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "related": [ - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", - "value": "Removal Of Index Value to Hide Schedule Task" - }, { "description": "Detects the deletion of registry keys containing the MSTSC connection history", "meta": { @@ -15443,8 +17146,24 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "value": "Terminal Server Client Connection History Cleared" + "value": "Terminal Server Client Connection History Cleared - Registry" }, { "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", @@ -15454,13 +17173,13 @@ "falsepositive": [ "Unknown" ], - "filename": "registry_delete_removal_sd_value_scheduled_task_hide.yml", + "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml", "level": "medium", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml" ], "tags": [ "attack.defense_evasion", @@ -15477,10 +17196,10 @@ } ], "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", - "value": "Removal Of SD Value to Hide Schedule Task" + "value": "Removal Of SD Value to Hide Schedule Task - Registry" }, { - "description": "Remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection", + "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "meta": { "author": "frack113", "creation_date": "2021/06/07", @@ -15501,16 +17220,25 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", - "value": "Removal Of Amsi Provider Reg Key" + "value": "Removal Of AMSI Provider Registry Keys" }, { - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ - "Legitimate administrators removing applications (should always be monitored)" + "Legitimate administrators removing applications (should always be investigated)" ], "filename": "registry_delete_exploit_guard_protected_folders.yml", "level": "high", @@ -15525,11 +17253,53 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", - "value": "Removal Of Folder From ProtectedFolders In Exploit Guard" + "value": "Folder Removed From Exploit Guard ProtectedFolders List - Registry" }, { - "description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml", + "level": "medium", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "value": "Removal Of Index Value to Hide Schedule Task - Registry" + }, + { + "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/05/02", @@ -15541,10 +17311,10 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], @@ -15553,9 +17323,52 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", "value": "Removal of Potential COM Hijacking Registry Keys" }, + { + "description": "Detects registry keys related to Ursnif malware.", + "meta": { + "author": "megan201296", + "creation_date": "2019/02/13", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_malware_ursnif.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "21f17060-b282-4249-ade0-589ea3591558", + "value": "Potential Ursnif Malware Activity - Registry" + }, { "description": "Detects COM object hijacking via TreatAs subkey", "meta": { @@ -15564,13 +17377,13 @@ "falsepositive": [ "Maybe some system utilities in rare cases use linking keys for backward compatibility" ], - "filename": "registry_add_persistence_key_linking.yml", + "filename": "registry_add_persistence_com_key_linking.yml", "level": "medium", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml" ], "tags": [ "attack.persistence", @@ -15587,99 +17400,7 @@ } ], "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", - "value": "Windows Registry Persistence COM Key Linking" - }, - { - "description": "Detects new registry key created by Ursnif malware.", - "meta": { - "author": "megan201296", - "creation_date": "2019/02/13", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_add_mal_ursnif.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112" - ] - }, - "uuid": "21f17060-b282-4249-ade0-589ea3591558", - "value": "Ursnif" - }, - { - "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_add_sysinternals_sdelete_registry_keys.yml", - "level": "medium", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "related": [ - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", - "value": "Sysinternals SDelete Registry Keys" - }, - { - "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/24", - "falsepositive": [ - "Legitimate use of SysInternals tools" - ], - "filename": "registry_add_susp_sysinternals_eula_accepted.yml", - "level": "medium", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "related": [ - { - "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", - "value": "Usage of Suspicious Sysinternals Tools" + "value": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" }, { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", @@ -15689,109 +17410,24 @@ "falsepositive": [ "Legitimate new entry added by windows" ], - "filename": "registry_add_disk_cleanup_handler_new_entry_persistence.yml", + "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml", "level": "medium", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", - "value": "Persistence Via Disk Cleanup Handler - NewEntry" + "value": "Potential Persistence Via Disk Cleanup Handler - Registry" }, { - "description": "Detects the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_add_renamed_sysinternals_eula_accepted.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "related": [ - { - "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", - "value": "Usage of Renamed Sysinternals Tools" - }, - { - "description": "Attempts to detect registry events for common NetWire key HKCU\\Software\\NetWire", - "meta": { - "author": "Christopher Peacock", - "creation_date": "2021/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_add_mal_netwire.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", - "value": "NetWire RAT Registry Key" - }, - { - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate security products adding their own AMSI providers" - ], - "filename": "registry_add_amsi_providers_persistence.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", - "https://persistence-info.github.io/Data/amsi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", - "value": "Persistence Via New AMSI Providers" - }, - { - "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", + "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", "meta": { "author": "Markus Neis", "creation_date": "2017/08/28", @@ -15799,13 +17435,13 @@ "Legitimate use of SysInternals tools", "Programs that use the same Registry Key" ], - "filename": "registry_add_sysinternals_eula_accepted.yml", + "filename": "registry_add_pua_sysinternals_execution_via_eula.yml", "level": "low", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml" ], "tags": [ "attack.resource_development", @@ -15822,7 +17458,101 @@ } ], "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", - "value": "Usage of Sysinternals Tools - Registry" + "value": "PUA - Sysinternal Tool Execution - Registry" + }, + { + "description": "Detects registry keys related to NetWire RAT", + "meta": { + "author": "Christopher Peacock", + "creation_date": "2021/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_malware_netwire.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "value": "Potential NetWire RAT Activity - Registry" + }, + { + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", + "value": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" + }, + { + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate security products adding their own AMSI providers. Filter these according to your environment" + ], + "filename": "registry_add_persistence_amsi_providers.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "value": "Potential Persistence Via New AMSI Providers - Registry" }, { "description": "Detects creation of UserInitMprLogonScript persistence method", @@ -15832,13 +17562,13 @@ "falsepositive": [ "Exclude legitimate logon scripts" ], - "filename": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml", + "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml", "level": "high", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" ], "tags": [ "attack.t1037.001", @@ -15856,7 +17586,82 @@ } ], "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" + "value": "Potential Persistence Via Logon Scripts - Registry" + }, + { + "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/24", + "falsepositive": [ + "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" + ], + "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "value": "PUA - Sysinternals Tools Execution - Registry" + }, + { + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_dns_server_level_plugin_dll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "value": "New DNS ServerLevelPluginDll Installed" }, { "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", @@ -15871,9 +17676,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -15893,6 +17698,39 @@ "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", "value": "Execution DLL of Choice Using WAB.EXE" }, + { + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/02", + "falsepositive": [ + "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + ], + "filename": "registry_set_sophos_av_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", + "value": "Tamper With Sophos AV Registry Keys" + }, { "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", "meta": { @@ -15906,8 +17744,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -15940,8 +17778,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -15953,6 +17791,13 @@ ] }, "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -15985,6 +17830,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", "value": "Activate Suppression of Windows Security Center Notifications" }, @@ -16001,8 +17855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -16025,8 +17879,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -16074,11 +17928,52 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", "value": "CrashControl CrashDump Disabled" }, + { + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/08", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", + "value": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" + }, { "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", "meta": { @@ -16113,31 +18008,6 @@ "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", "value": "Disable UAC Using Registry" }, - { - "description": "Detects the manipulation of persistent URLs which can be malicious", - "meta": { - "author": "Tobias Michalski (Nextron Systems)", - "creation_date": "2021/06/09", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_outlook_registry_webview.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "value": "Persistent Outlook Landing Pages" - }, { "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", "meta": { @@ -16159,6 +18029,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "value": "Registry Explorer Policy Modification" }, @@ -16175,11 +18054,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -16223,31 +18102,6 @@ "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "value": "Potential Attachment Manager Settings Associations Tamper" }, - { - "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/05/08", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_dns_serverlevelplugindll.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ] - }, - "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", - "value": "DNS ServerLevelPluginDll Install - Registry" - }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -16262,9 +18116,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -16272,6 +18126,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", "value": "CurrentVersion NT Autorun Keys Modification" }, @@ -16288,13 +18151,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -16303,6 +18166,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "value": "RDP Sensitive Settings Changed to Zero" }, @@ -16327,6 +18199,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, @@ -16343,8 +18224,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -16368,9 +18249,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -16380,6 +18261,13 @@ ] }, "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", "tags": [ @@ -16404,8 +18292,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -16501,6 +18389,15 @@ "attack.t1547.004" ] }, + "related": [ + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "value": "Winlogon Notify Key Logon Persistence" }, @@ -16526,6 +18423,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83314318-052a-4c90-a1ad-660ece38d276", "value": "Blackbyte Ransomware Registry" }, @@ -16542,9 +18448,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16552,6 +18458,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "value": "Office Security Settings Changed" }, @@ -16581,6 +18496,20 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -16613,6 +18542,15 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, @@ -16664,10 +18602,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -16675,6 +18613,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", "value": "Wow6432Node CurrentVersion Autorun Keys Modification" }, @@ -16691,8 +18638,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -16733,6 +18680,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", "value": "Disable Tamper Protection on Windows Defender" }, @@ -16750,7 +18706,8 @@ "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", + "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16758,6 +18715,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", "value": "Wdigest Enable UseLogonCredential" }, @@ -16774,8 +18740,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -16783,6 +18749,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", "value": "Change the Fax Dll" }, @@ -16809,6 +18784,13 @@ ] }, "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ @@ -16841,6 +18823,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", "value": "Disable PUA Protection on Windows Defender" }, @@ -16857,9 +18848,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16894,9 +18885,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -16904,33 +18895,18 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9df5f547-c86a-433e-b533-f2794357e242", "value": "Classes Autorun Keys Modification" }, - { - "description": "Detects the manipulation of persistent URLs which could execute malicious code", - "meta": { - "author": "Tobias Michalski (Nextron Systems)", - "creation_date": "2021/06/10", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_outlook_registry_todaypage.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "value": "Persistent Outlook Landing Today Pages" - }, { "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", "meta": { @@ -17019,6 +18995,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "value": "Disable Privacy Settings Experience in Registry" }, @@ -17068,8 +19053,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -17125,8 +19110,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -17159,8 +19144,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -17204,6 +19189,13 @@ ] }, "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ @@ -17221,7 +19213,7 @@ "author": "frack113, Florian Roth", "creation_date": "2022/03/17", "falsepositive": [ - "Legitimate admin or third party scripts. Baseline according to your environnement" + "Legitimate admin or third party scripts. Baseline according to your environment" ], "filename": "registry_set_powershell_in_run_keys.yml", "level": "medium", @@ -17237,6 +19229,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", "value": "Suspicious Powershell In Registry Run Keys" }, @@ -17261,6 +19262,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", "value": "Registry Persistence via Explorer Run Key" }, @@ -17314,8 +19324,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -17338,8 +19348,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -17437,6 +19447,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "value": "New RUN Key Pointing to Suspicious Folder" }, @@ -17494,6 +19513,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "value": "Service Binary in Suspicious Folder" }, @@ -17518,42 +19546,17 @@ "attack.t1112" ] }, - "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", - "value": "NET NGenAssemblyUsageLog Registry Key Tamper" - }, - { - "description": "Change outlook email security settings", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "registry_set_outlook_security.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, "related": [ { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", - "value": "Change Outlook Security Setting in Registry" + "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", + "value": "NET NGenAssemblyUsageLog Registry Key Tamper" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", @@ -17569,10 +19572,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17580,6 +19583,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", "value": "Common Autorun Keys Modification" }, @@ -17606,6 +19618,13 @@ ] }, "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ @@ -17656,7 +19675,7 @@ "author": "frack113", "creation_date": "2022/08/19", "falsepositive": [ - "Legitmate use of the feature (alerts should be investigated either way)" + "Legitimate use of the feature (alerts should be investigated either way)" ], "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", "level": "medium", @@ -17671,6 +19690,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "value": "Allow RDP Remote Assistance Feature" }, @@ -17687,13 +19715,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17702,6 +19730,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", "value": "RDP Sensitive Settings Changed" }, @@ -17752,9 +19789,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -17762,6 +19799,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", "value": "Office Autorun Keys Modification" }, @@ -17779,9 +19825,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -17789,6 +19835,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", "value": "Wow6432Node Classes Autorun Keys Modification" }, @@ -17813,9 +19868,69 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", "value": "Registry Hide Function from User" }, + { + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/04/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "396ae3eb-4174-4b9b-880e-dc0364d78a19", + "value": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" + }, { "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", "meta": { @@ -17996,6 +20111,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", "value": "Windows Defender Exclusions Added - Registry" }, @@ -18012,9 +20136,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -18048,9 +20172,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -18058,6 +20182,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "value": "WinSock2 Autorun Keys Modification" }, @@ -18082,6 +20215,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "value": "Disabled Windows Defender Eventlog" }, @@ -18139,6 +20281,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "value": "Potential Persistence Via Custom Protocol Handler" }, @@ -18165,6 +20316,13 @@ ] }, "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ @@ -18197,6 +20355,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "277dc340-0540-42e7-8efb-5ff460045e07", "value": "Service Binary in Uncommon Folder" }, @@ -18246,10 +20413,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -18257,9 +20424,52 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", "value": "Disable Windows Defender Functionalities Via Registry Keys" }, + { + "description": "Detects potential persistence activity via outlook home pages.", + "meta": { + "author": "Tobias Michalski (Nextron Systems)", + "creation_date": "2021/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_outlook_homepage.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "value": "Potential Persistence Via Outlook Home Page" + }, { "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", "meta": { @@ -18330,6 +20540,57 @@ "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", "value": "UAC Bypass via Sdclt" }, + { + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "meta": { + "author": "@ScoubiMtl", + "creation_date": "2021/04/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_office_outlook_enable_macro_execution.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "value": "Outlook Macro Execution Without Warning Setting Enabled" + }, { "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "meta": { @@ -18420,56 +20681,6 @@ "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", "value": "Potential Registry Persistence Attempt Via Windows Telemetry" }, - { - "description": "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.", - "meta": { - "author": "@ScoubiMtl", - "creation_date": "2021/04/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_outlook_c2_registry_key.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" - ] - }, - "related": [ - { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "value": "Outlook C2 Registry Key" - }, { "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "meta": { @@ -18509,7 +20720,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ - "Legitmate use of the multi session functionality" + "Legitimate use of the multi session functionality" ], "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", "level": "medium", @@ -18547,6 +20758,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", "value": "Add DisallowRun Execution to Registry" }, @@ -18563,8 +20783,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18597,8 +20817,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -18654,8 +20874,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -18691,9 +20911,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -18701,6 +20921,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, @@ -18717,8 +20946,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://persistence-info.github.io/Data/mpnotify.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -18742,9 +20971,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -18752,6 +20981,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", "value": "CurrentControlSet Autorun Keys Modification" }, @@ -18801,8 +21039,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18833,6 +21071,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", "value": "Suspicious Application Allowed Through Exploit Guard" }, @@ -18850,9 +21097,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -18860,6 +21107,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "value": "System Scripts Autorun Keys Modification" }, @@ -18876,8 +21132,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -18885,6 +21141,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "value": "Disabled RestrictedAdminMode For RDS" }, @@ -18901,9 +21166,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18936,9 +21201,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -18947,6 +21212,22 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", "value": "DHCP Callout DLL Installation" }, @@ -18998,8 +21279,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -19033,8 +21314,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -19042,6 +21323,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", "value": "Modification of IE Registry Settings" }, @@ -19089,9 +21379,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.sans.org/cyber-security-summit/archives", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -19113,30 +21403,6 @@ "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "value": "Enabling COR Profiler Environment Variables" }, - { - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/02", - "falsepositive": [ - "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "filename": "registry_set_sophos_av_tamaper.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "value": "Tamper With Sophos AV Registry Keys" - }, { "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "meta": { @@ -19206,7 +21472,7 @@ "value": "Set TimeProviders DllName" }, { - "description": "Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings", + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/20", @@ -19242,8 +21508,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -19251,6 +21517,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", "value": "Change User Account Associated with the FAX Service" }, @@ -19287,6 +21562,40 @@ "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "value": "Disable Administrative Share Creation at Startup" }, + { + "description": "Detects changes to the registry values related to outlook security settings", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Administrative activity" + ], + "filename": "registry_set_office_outlook_security_settings.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "value": "Outlook Security Settings Updated - Registry" + }, { "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "meta": { @@ -19308,6 +21617,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", "value": "Disable Exploit Guard Network Protection on Windows Defender" }, @@ -19392,6 +21710,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ec912f2-5175-4868-b811-ec13ad0f8567", "value": "Suspicious New Printer Ports in Registry (CVE-2020-1048)" }, @@ -19443,7 +21770,7 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], @@ -19486,6 +21813,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "value": "Windows Defender Service Disabled" }, @@ -19502,9 +21838,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/pabraeken/status/998627081360695297", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -19524,6 +21860,39 @@ "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "value": "ScreenSaver Registry Key Set" }, + { + "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", + "meta": { + "author": "Tobias Michalski (Nextron Systems)", + "creation_date": "2021/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_outlook_todaypage.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "value": "Potential Persistence Via Outlook Today Pages" + }, { "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "meta": { @@ -19570,6 +21939,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "value": "Modify User Shell Folders Startup Value" }, @@ -19586,8 +21964,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://youtu.be/zSihR3lTf7g", + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -19595,6 +21973,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", "value": "Disable Sysmon Event Logging Via Registry" }, @@ -19612,10 +21999,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -19623,6 +22010,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", "value": "CurrentVersion Autorun Keys Modification" }, @@ -19673,8 +22069,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -19705,8 +22101,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -19792,6 +22188,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", "value": "Disable Microsoft Office Security Features" }, @@ -19816,6 +22221,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", "value": "Suspicious Service Installed" }, @@ -19857,10 +22271,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19876,6 +22290,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", @@ -19902,9 +22323,44 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "value": "Disable Windows Security Center Notifications" }, + { + "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_event_viewer_events_asp.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1626648985824788480", + "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", + "value": "Potential Persistence Via Event Viewer Events.asp" + }, { "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", "meta": { @@ -19951,8 +22407,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], @@ -19976,17 +22432,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19996,6 +22452,13 @@ ] }, "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ @@ -20054,9 +22517,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -20064,6 +22527,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", "value": "Internet Explorer Autorun Keys Modification" }, @@ -20080,8 +22552,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -20114,9 +22586,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -20124,6 +22596,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", "value": "Disable Internal Tools or Feature in Registry" }, @@ -20140,8 +22621,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -20149,6 +22630,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "160d2780-31f7-4922-8b3a-efce30e63e96", "value": "Potential AMSI COM Server Hijacking" }, @@ -20165,9 +22655,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], @@ -20199,6 +22689,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", "value": "VBScript Payload Stored in Registry" }, @@ -20215,8 +22714,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -20250,6 +22749,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", "value": "ServiceDll Hijack" }, @@ -20275,41 +22783,52 @@ "attack.t1574.002" ] }, - "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", - "value": "Abusing Azure Browser SSO" - }, - { - "description": "Detects any assembly DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dotnet_assembly_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, "related": [ { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "value": "dotNET DLL Loaded Via Office Applications" + "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "value": "Abusing Azure Browser SSO" + }, + { + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "meta": { + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "creation_date": "2019/10/27", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", + "value": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded" }, { "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", @@ -20349,71 +22868,85 @@ "value": "WMIC Loading Scripting Libraries" }, { - "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", "meta": { - "author": "frack113", - "creation_date": "2022/12/31", + "author": "SBousseaden", + "creation_date": "2019/10/28", "falsepositive": [ "Unknown" ], - "filename": "image_load_lolbin_coregen.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_lolbin_coregen.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1055" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", - "value": "Potential DLL Sideloading Using Coregen.exe" - }, - { - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/07", - "falsepositive": [ - "Other DLLs with that import hash" - ], - "filename": "image_load_sysmon_disable_sharpevtmute.yml", + "filename": "image_load_side_load_svchost_dlls.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_svchost_dlls.yml" ], "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1562.002" + "attack.t1574.002", + "attack.t1574.001" ] }, "related": [ { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "49329257-089d-46e6-af37-4afce4290685", - "value": "SharpEvtMute Imphash EvtMuteHook Load" + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "value": "Svchost DLL Search Order Hijack" + }, + { + "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/09/02", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "filename": "image_load_scrcons_wmi_scripteventconsumer.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ] + }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", + "value": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load" }, { "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", @@ -20428,8 +22961,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -20440,6 +22973,22 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6360757a-d460-456c-8b13-74cf0e60cceb", "value": "Potential DLL Sideloading Via comctl32.dll" }, @@ -20456,8 +23005,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" @@ -20489,54 +23038,20 @@ "value": "Suspicious WSMAN Provider Image Loads" }, { - "description": "Detects DSParse DLL being loaded by an Office Product", + "description": "Detects the image load of VSS DLL by uncommon executables", "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dsparse_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "value": "Active Directory Parsing DLL Loaded Via Office Applications" - }, - { - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "meta": { - "author": "Markus Neis, @markus_neis", - "creation_date": "2021/07/07", + "author": "frack113", + "creation_date": "2022/10/31", "falsepositive": [ "Unknown" ], - "filename": "image_load_susp_vss_ps_load.yml", + "filename": "image_load_dll_vssapi_susp_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", - "https://twitter.com/am0nsec/status/1412232114980982787", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" + "https://github.com/ORCx41/DeleteShadowCopies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml" ], "tags": [ "attack.defense_evasion", @@ -20553,8 +23068,42 @@ "type": "related-to" } ], - "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "value": "Image Load of VSS_PS.dll by Uncommon Executable" + "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "value": "Suspicious Volume Shadow Copy Vssapi.dll Load" + }, + { + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1555200155351228419", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", + "value": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32" }, { "description": "Attempts to load dismcore.dll after dropping it", @@ -20587,6 +23136,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", @@ -20605,8 +23161,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ @@ -20626,39 +23182,6 @@ "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", "value": "PCRE.NET Package Image Load" }, - { - "description": "Detects any GAC DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dotnet_gac_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "value": "GAC DLL Loaded Via Office Applications" - }, { "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", "meta": { @@ -20695,98 +23218,113 @@ "value": "UAC Bypass Using Iscsicpl - ImageLoad" }, { - "description": "Detects CLR DLL being loaded by an Office Product", + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/07", "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" + "Other DLLs with the same Imphash" ], - "filename": "image_load_susp_office_dotnet_clr_dll_load.yml", + "filename": "image_load_hktl_sharpevtmute.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml" + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_sharpevtmute.yml" ], "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1562.002" ] }, "related": [ { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "value": "CLR DLL Loaded Via Office Applications" + "uuid": "49329257-089d-46e6-af37-4afce4290685", + "value": "HackTool - SharpEvtMute DLL Load" }, { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", + "author": "NVISO", + "creation_date": "2020/05/04", "falsepositive": [ - "Very unlikely" + "Unlikely" ], - "filename": "image_load_pingback_backdoor.yml", + "filename": "image_load_side_load_ualapi.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" + "https://windows-internals.com/faxing-your-way-to-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ualapi.yml" ], "tags": [ "attack.persistence", - "attack.t1574.001" - ] - }, - "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "value": "Pingback Backdoor - Image" - }, - { - "description": "Detects certain DLL loads when Mimikatz gets executed", - "meta": { - "author": "sigma", - "creation_date": "2017/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_mimikatz_inmemory_detection.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml" - ], - "tags": [ - "attack.s0002", - "attack.t1003", - "attack.lateral_movement", - "attack.credential_access", - "car.2019-04-004" + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", - "value": "Mimikatz In-Memory" + "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "value": "Fax Service DLL Search Order Hijack" + }, + { + "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" + ], + "filename": "image_load_dll_system_drawing_load.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_drawing_load.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", + "value": "System Drawing DLL Load" }, { "description": "Detects WMI command line event consumers", @@ -20827,7 +23365,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/01", "falsepositive": [ - "FP could occure if the legitimate version of vmGuestLib already exists on the system" + "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], "filename": "image_load_side_load_vmguestlib.yml", "level": "medium", @@ -20845,11 +23383,27 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", "value": "VMGuestLib DLL Sideload" }, { - "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation", + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/09", @@ -20861,12 +23415,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20877,6 +23431,22 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "value": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders" }, @@ -20904,6 +23474,22 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", "value": "Web Browsers DLL Sideloading" }, @@ -20931,24 +23517,239 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", "value": "DLL Sideloading Of DBGCORE.DLL" }, { - "description": "Detects the image load of VSS DLL by uncommon executables", + "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", "meta": { "author": "frack113", - "creation_date": "2022/10/31", + "creation_date": "2022/12/14", "falsepositive": [ "Unknown" ], - "filename": "image_load_susp_vss_dll_load.yml", + "filename": "image_load_side_load_jsschhlp.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "68654bf0-4412-43d5-bfe8-5eaa393cd939", + "value": "Potential DLL Sideloading Via JsSchHlp" + }, + { + "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "meta": { + "author": "frack113", + "creation_date": "2022/12/31", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_coregen.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_coregen.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", + "value": "Potential DLL Sideloading Using Coregen.exe" + }, + { + "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", + "meta": { + "author": "Greg (rule)", + "creation_date": "2022/06/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_dll_sdiageng_load_by_msdt.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ORCx41/DeleteShadowCopies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_dll_load.yml" + "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" + ] + }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "value": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE" + }, + { + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/09/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_malware_foggyweb_nobelium.yml", + "level": "critical", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_malware_foggyweb_nobelium.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ] + }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", + "value": "FoggyWeb Backdoor DLL Loading" + }, + { + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + ], + "filename": "image_load_side_load_from_non_system_location.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "value": "Potential System DLL Sideloading From Non System Locations" + }, + { + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "meta": { + "author": "Markus Neis, @markus_neis", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_dll_vss_ps_susp_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ "attack.defense_evasion", @@ -20965,190 +23766,8 @@ "type": "related-to" } ], - "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "value": "Image Load of VSS Dll by Uncommon Executable" - }, - { - "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", - "meta": { - "author": "frack113", - "creation_date": "2022/12/14", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_side_load_jsschhlp.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "68654bf0-4412-43d5-bfe8-5eaa393cd939", - "value": "Potential DLL Sideloading Via JsSchHlp" - }, - { - "description": "Detects SILENTTRINITY stager use", - "meta": { - "author": "Aleksey Potapov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_silenttrinity_stage_use.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071" - ] - }, - "related": [ - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", - "value": "SILENTTRINITY Stager Execution - DLL" - }, - { - "description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_system_drawing_load.yml", - "level": "low", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", - "value": "Suspicious System.Drawing Load" - }, - { - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" - ], - "filename": "image_load_side_load_from_non_system_location.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://hijacklibs.net/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "value": "Potential System DLL Sideloading From Non System Locations" - }, - { - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/30", - "falsepositive": [ - "Unikely" - ], - "filename": "image_load_susp_cmstp.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_cmstp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ] - }, - "related": [ - { - "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", - "value": "Cmstp Suspicious DLL Load" - }, - { - "description": "Detects Kerberos DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_kerberos_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "value": "Active Directory Kerberos DLL Loaded Via Office Applications" + "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "value": "Suspicious Volume Shadow Copy VSS_PS.dll Load" }, { "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", @@ -21173,43 +23792,59 @@ "attack.t1574.002" ] }, - "uuid": "90ae0469-0cee-4509-b67f-e5efcef040f7", - "value": "Aruba Network Service Potential DLL Sideloading" - }, - { - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "meta": { - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", - "creation_date": "2019/10/27", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_dbghelp_dbgcore_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", - "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" + "uuid": "90ae0469-0cee-4509-b67f-e5efcef040f7", + "value": "Aruba Network Service Potential DLL Sideloading" + }, + { + "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", + "meta": { + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "creation_date": "2019/11/14", + "falsepositive": [ + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" + ], + "filename": "image_load_dll_system_management_automation_susp_load.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" + ], + "tags": [ + "attack.t1059.001", + "attack.execution" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "value": "PowerShell Core DLL Loaded By Non PowerShell Process" }, { "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", @@ -21237,9 +23872,91 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "value": "Potential Antivirus Software DLL Sideloading" }, + { + "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", + "meta": { + "author": "frack113", + "creation_date": "2022/02/03", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_advapi32.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hlldz/Phant0m", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_advapi32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", + "value": "Suspicious Load of Advapi31.dll" + }, + { + "description": "Detects any assembly DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Legitimate macro usage. Add the appropriate filter according to your environment" + ], + "filename": "image_load_office_dotnet_assembly_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "value": "DotNET DLL Loaded Via Office Applications" + }, { "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", "meta": { @@ -21264,6 +23981,22 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "value": "Third Party Software DLL Sideloading" }, @@ -21290,6 +24023,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ @@ -21301,6 +24041,39 @@ "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" }, + { + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_side_load_vmware_xfer.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmware_xfer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "value": "Potential DLL Sideloading Via VMware Xfer" + }, { "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", "meta": { @@ -21315,8 +24088,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.py2exe.org/", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://www.py2exe.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ @@ -21324,11 +24097,20 @@ "attack.t1027.002" ] }, + "related": [ + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "value": "Python Py2Exe Image Load" }, { - "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", "meta": { "author": "omkar72, oscd.community", "creation_date": "2020/10/14", @@ -21340,10 +24122,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/tyranid/DotNetToJScript", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -21352,34 +24134,86 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", - "value": "CLR DLL Loaded Via Scripting Applications" + "value": "DotNet CLR DLL Loaded By Scripting Applications" }, { - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", "meta": { - "author": "NVISO", - "creation_date": "2020/05/04", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "creation_date": "2019/10/27", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "image_load_susp_fax_dll.yml", + "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://windows-internals.com/faxing-your-way-to-system/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_fax_dll.yml" + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", + "value": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process" + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_malware_pingback_backdoor.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_malware_pingback_backdoor.yml" ], "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" + "attack.t1574.001" ] }, - "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "value": "Fax Service DLL Search Order Hijack" + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", + "value": "Pingback Backdoor DLL Loading Activity" }, { "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", @@ -21394,7 +24228,7 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml" ], "tags": [ @@ -21439,41 +24273,24 @@ "attack.t1574.002" ] }, - "uuid": "caa02837-f659-466f-bca6-48bde2826ab4", - "value": "Potential DLL Sideloading Via ClassicExplorer32.dll" - }, - { - "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/09/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_foggyweb_nobelium.yml", - "level": "critical", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_foggyweb_nobelium.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587" - ] - }, "related": [ { - "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "value": "FoggyWeb Backdoor DLL Loading" + "uuid": "caa02837-f659-466f-bca6-48bde2826ab4", + "value": "Potential DLL Sideloading Via ClassicExplorer32.dll" }, { "description": "Detects DLL sideloading of \"dbghelp.dll\"", @@ -21499,36 +24316,123 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", "value": "DLL Sideloading Of DBGHELP.DLL" }, { - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", + "description": "Detects SILENTTRINITY stager dll loading activity", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/01", + "author": "Aleksey Potapov, oscd.community", + "creation_date": "2019/10/22", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "image_load_side_load_scm.yml", - "level": "medium", + "filename": "image_load_hktl_silenttrinity_stager.yml", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "value": "HackTool - SILENTTRINITY Stager DLL Load" + }, + { + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/02", + "falsepositive": [ + "Very unlikely" + ], + "filename": "image_load_side_load_windows_defender.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_windows_defender.yml" ], "tags": [ "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", "attack.t1574.002" ] }, - "uuid": "bc3cc333-48b9-467a-9d1f-d44ee594ef48", - "value": "SCM DLL Sideload" + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "value": "Microsoft Defender Loading DLL from Nondefault Path" + }, + { + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unikely" + ], + "filename": "image_load_cmstp_load_dll_from_susp_location.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ] + }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", + "value": "DLL Loaded From Suspicious Location Via Cmspt.EXE" }, { "description": "Detects non wmiprvse loading WMI modules", @@ -21543,7 +24447,7 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", + "https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" ], "tags": [ @@ -21564,96 +24468,37 @@ "value": "WMI Modules Loaded" }, { - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "description": "Detects DSParse DLL being loaded by an Office Product", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/14", + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", "falsepositive": [ - "Unlikely" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "filename": "image_load_rundll32_loading_renamed_comsvcs.yml", + "filename": "image_load_office_dsparse_dll_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1555200155351228419", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml" + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dsparse_dll_load.yml" ], "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" + "attack.execution", + "attack.t1204.002" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", - "value": "Rundll32 Loading Renamed Comsvcs DLL" - }, - { - "description": "Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary", - "meta": { - "author": "Greg (rule)", - "creation_date": "2022/06/17", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_msdt_sdiageng.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_msdt_sdiageng.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" - ] - }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "value": "MSDT.exe Loading Diagnostic Library" - }, - { - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_vmware_xfer_load_dll_from_nondefault_path.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "value": "VMware Xfer Loading DLL from Nondefault Path" + "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", + "value": "Active Directory Parsing DLL Loaded Via Office Applications" }, { "description": "Loading unsigned image (DLL, EXE) into LSASS process", @@ -21688,39 +24533,6 @@ "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "value": "Unsigned Image Loaded Into LSASS Process" }, - { - "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_winword_vbadll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", - "value": "VBA DLL Loaded Via Office Application" - }, { "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", "meta": { @@ -21742,6 +24554,15 @@ "attack.t1070" ] }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "value": "DLL Load By System Process From Suspicious Locations" }, @@ -21766,9 +24587,51 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "value": "Possible Process Hollowing Image Loading" }, + { + "description": "Detects any GAC DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Legitimate macro usage. Add the appropriate filter according to your environment" + ], + "filename": "image_load_office_dotnet_gac_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "value": "GAC DLL Loaded Via Office Applications" + }, { "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", "meta": { @@ -21791,81 +24654,128 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", "value": "APT PRIVATELOG Image Load Pattern" }, { - "description": "Detects signs of the WMI script host process %SystemRoot%\\system32\\wbem\\scrcons.exe functionality being used via images being loaded by a process.", + "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/09/02", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/01", "falsepositive": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unknown" ], - "filename": "image_load_scrcons_imageload_wmi_scripteventconsumer.yml", - "level": "medium", + "filename": "image_load_side_load_shell_chrome_api.yml", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", + "attack.defense_evasion", "attack.persistence", - "attack.t1546.003" + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" ] }, "related": [ { - "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "value": "WMI Script Host Process Image Loaded" + "uuid": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", + "value": "DLL Sideloading Of ShellChromeAPI.DLL" }, { - "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", + "description": "Detects the image load of VSS DLL by uncommon executables", "meta": { - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", - "creation_date": "2019/11/14", + "author": "frack113", + "creation_date": "2023/02/17", "falsepositive": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" + "Unknown" ], - "filename": "image_load_in_memory_powershell.yml", - "level": "medium", + "filename": "image_load_dll_vsstrace_susp_load.yml", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" + "https://github.com/ORCx41/DeleteShadowCopies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml" ], "tags": [ - "attack.t1059.001", - "attack.execution" + "attack.defense_evasion", + "attack.impact", + "attack.t1490" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "value": "In-memory PowerShell" + "uuid": "48bfd177-7cf2-412b-ad77-baf923489e82", + "value": "Suspicious Volume Shadow Copy Vsstrace.dll Load" + }, + { + "description": "Detects Kerberos DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Legitimate macro usage. Add the appropriate filter according to your environment" + ], + "filename": "image_load_office_kerberos_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_kerberos_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "value": "Active Directory Kerberos DLL Loaded Via Office Applications" }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", @@ -21880,7 +24790,7 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" ], "tags": [ @@ -21897,60 +24807,50 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", "value": "Wmiprvse Wbemcomn DLL Hijack" }, { - "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", "meta": { - "author": "SBousseaden", - "creation_date": "2019/10/28", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/08", "falsepositive": [ - "Unknown" + "Legitimate macro usage. Add the appropriate filter according to your environment" ], - "filename": "image_load_svchost_dll_search_order_hijack.yml", + "filename": "image_load_office_outlook_outlvba_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml" ], "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" + "attack.execution", + "attack.t1204.002" ] }, - "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "value": "Svchost DLL Search Order Hijack" - }, - { - "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", - "meta": { - "author": "frack113", - "creation_date": "2022/02/03", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_advapi32_dll.yml", - "level": "informational", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/hlldz/Phant0m", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", - "value": "Suspicious Load of Advapi31.dll" + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", + "value": "Microsoft VBA For Outlook Addin Loaded Via Outlook" }, { "description": "Detect DLL Load from Spooler Service backup folder", @@ -21965,8 +24865,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/ly4k/SpoolFool", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -22014,9 +24914,58 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "value": "Microsoft Office DLL Sideload" }, + { + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Legitimate macro usage. Add the appropriate filter according to your environment" + ], + "filename": "image_load_office_vbadll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_vbadll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "value": "VBA DLL Loaded Via Office Application" + }, { "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", "meta": { @@ -22030,9 +24979,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -22041,9 +24990,51 @@ "attack.t1056.002" ] }, + "related": [ + { + "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "value": "UIPromptForCredentials DLLs" }, + { + "description": "Detects CLR DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Legitimate macro usage. Add the appropriate filter according to your environment" + ], + "filename": "image_load_office_dotnet_clr_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "value": "CLR DLL Loaded Via Office Applications" + }, { "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "meta": { @@ -22088,30 +25079,6 @@ "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", "value": "Time Travel Debugging Utility Usage - Image" }, - { - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/08/02", - "falsepositive": [ - "Very unlikely" - ], - "filename": "image_load_defender_load_dll_from_nondefault_path.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "value": "Microsoft Defender Loading DLL from Nondefault Path" - }, { "description": "Detects suspicious encoded payloads in WMI Event Consumers", "meta": { @@ -22199,9 +25166,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -22346,7 +25313,7 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" ], "tags": [ @@ -22458,7 +25425,7 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml" ], "tags": [ @@ -22699,13 +25666,22 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "value": "Tamper Windows Defender - PSClassic" }, { "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "meta": { - "author": "Sai Prashanth Pulisetti @pulisettis", + "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "creation_date": "2022/12/10", "falsepositive": [ "Unknown" @@ -22794,6 +25770,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -22853,8 +25836,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], @@ -22880,8 +25863,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -22889,6 +25872,15 @@ "attack.t1115" ] }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", "value": "PowerShell Get Clipboard" }, @@ -22906,7 +25898,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/8", - "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -22983,6 +25975,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23018,6 +26017,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23153,6 +26159,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23177,21 +26190,21 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/besimorhino/powercat", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -23215,6 +26228,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ @@ -23222,6 +26242,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ @@ -23236,6 +26263,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23260,7 +26294,7 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" ], "tags": [ @@ -23346,6 +26380,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23381,6 +26422,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23448,6 +26496,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23483,6 +26538,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23507,23 +26569,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/AlsidOfficial/WSUSpendu/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/PowerShellMafia/PowerSploit", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/besimorhino/powercat", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -23632,6 +26694,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23667,6 +26736,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23723,8 +26799,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -23732,6 +26808,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3818659-5016-4811-a73c-dde4679169d2", "value": "Suspicious Computer Machine Password by PowerShell" }, @@ -23826,6 +26911,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -23916,8 +27008,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -24007,8 +27099,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -24118,6 +27210,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -24142,8 +27241,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -24184,6 +27283,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", "value": "Extracting Information with PowerShell" }, @@ -24266,9 +27374,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -24301,8 +27409,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -24346,6 +27454,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -24381,6 +27496,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -24405,10 +27527,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://adsecurity.org/?p=2277", + "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -24483,8 +27605,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -24550,8 +27672,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], @@ -24585,9 +27707,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -24595,6 +27717,15 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db885529-903f-4c5d-9864-28fe199e6370", "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" }, @@ -24605,7 +27736,7 @@ "creation_date": "2022/10/17", "falsepositive": [ "Rare intended use of hidden services", - "Rare FP could occure due to the non linearity of the ScriptBlockText log" + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "filename": "posh_ps_using_set_service_to_hide_services.yml", "level": "high", @@ -24623,6 +27754,15 @@ "attack.t1574.011" ] }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" }, @@ -24647,6 +27787,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", "value": "Powershell File and Directory Discovery" }, @@ -24761,11 +27910,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://woshub.com/manage-windows-firewall-powershell/", - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -24798,8 +27947,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -24888,8 +28037,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -24897,6 +28046,15 @@ "attack.t1056.001" ] }, + "related": [ + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", "value": "Powershell Keylogging" }, @@ -24947,9 +28105,9 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -25013,6 +28171,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", "value": "Powershell Sensitive File Discovery" }, @@ -25158,8 +28325,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -25202,6 +28369,22 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "value": "Disable of ETW Trace - Powershell" }, @@ -25218,9 +28401,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -25261,6 +28444,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", "value": "DirectorySearcher Powershell Exploitation" }, @@ -25319,6 +28511,15 @@ "attack.t1120" ] }, + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b26647de-4feb-4283-af6b-6117661283c5", "value": "Powershell Suspicious Win32_PnPEntity" }, @@ -25379,6 +28580,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -25390,31 +28598,6 @@ "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, - { - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_disable_windowsoptionalfeature.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "value": "Disable-WindowsOptionalFeature Command PowerShell" - }, { "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "meta": { @@ -25469,6 +28652,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, @@ -25529,6 +28721,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -25653,6 +28852,15 @@ "attack.t1113" ] }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", "value": "Windows Screen Capture with CopyFromScreen" }, @@ -25770,8 +28978,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -25882,6 +29090,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -25962,8 +29177,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], @@ -25989,8 +29204,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -26045,6 +29260,40 @@ "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "value": "Suspicious GPO Discovery With Get-GPO" }, + { + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_disable_windows_optional_feature.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "value": "Disable-WindowsOptionalFeature Command PowerShell" + }, { "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", "meta": { @@ -26058,8 +29307,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -26253,6 +29502,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", "value": "Tamper Windows Defender - ScriptBlockLogging" }, @@ -26310,6 +29568,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa2559c8-1197-471d-9cdd-05a0273d4522", "value": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging" }, @@ -26358,8 +29625,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -26397,6 +29664,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -26432,6 +29706,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -26465,6 +29746,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", "value": "Suspicious New-PSDrive to Admin Share" }, @@ -26489,6 +29779,15 @@ "attack.t1558.003" ] }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", "value": "Request A Single Ticket via PowerShell" }, @@ -26505,8 +29804,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -26557,6 +29856,15 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", "value": "Get-ADUser Enumeration Using UserAccountControl Flags" }, @@ -26573,8 +29881,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -26708,8 +30016,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -26717,6 +30025,15 @@ "attack.t1574.011" ] }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", "value": "Service Registry Permissions Weakness Check" }, @@ -26767,8 +30084,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -26824,9 +30141,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -26991,6 +30308,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "value": "AMSI Bypass Pattern Assembly GetType" }, @@ -27083,6 +30409,15 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", "value": "Suspicious PowerShell Get Current User" }, @@ -27108,42 +30443,17 @@ "attack.t1033" ] }, - "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", - "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cl_invocation_lolscript_count.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bohops/status/948061991012327424", - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, "related": [ { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", - "value": "Execution via CL_Invocation.ps1 (2 Lines)" + "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" }, { "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", @@ -27199,6 +30509,15 @@ "attack.t1547.004" ] }, + "related": [ + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", "value": "Winlogon Helper DLL" }, @@ -27209,7 +30528,7 @@ "creation_date": "2022/10/24", "falsepositive": [ "Rare intended use of hidden services", - "Rare FP could occure due to the non linearity of the ScriptBlockText log" + "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", "level": "high", @@ -27227,6 +30546,15 @@ "attack.t1574.011" ] }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "22d80745-6f2c-46da-826b-77adaededd74", "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" }, @@ -27276,8 +30604,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://twitter.com/nas_bench/status/1537919885031772161", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -27310,8 +30638,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -27352,6 +30680,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", "value": "Active Directory Computers Enumeration with Get-AdComputer" }, @@ -27377,6 +30714,15 @@ "attack.t1518" ] }, + "related": [ + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", "value": "Detected Windows Software Discovery - PowerShell" }, @@ -27404,6 +30750,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -27436,6 +30789,15 @@ "attack.t1110.001" ] }, + "related": [ + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", "value": "Suspicious Connection to Remote Account" }, @@ -27452,8 +30814,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -27486,10 +30848,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -27555,9 +30917,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -27588,6 +30950,15 @@ "attack.t1518.001" ] }, + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", "value": "Security Software Discovery by Powershell" }, @@ -27604,8 +30975,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -27783,6 +31154,13 @@ ] }, "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -27907,10 +31285,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27919,6 +31297,15 @@ "attack.t1056.001" ] }, + "related": [ + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "965e2db9-eddb-4cf6-a986-7a967df651e4", "value": "Potential Keylogger Activity" }, @@ -27944,6 +31331,15 @@ "attack.t1057" ] }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af4c87ce-bdda-4215-b998-15220772e993", "value": "Suspicious Process Discovery With Get-Process" }, @@ -28089,21 +31485,21 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/besimorhino/powercat", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -28127,6 +31523,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ @@ -28134,6 +31537,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ @@ -28148,6 +31558,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -28183,6 +31600,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -28219,6 +31643,13 @@ ] }, "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ @@ -28559,6 +31990,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -28642,9 +32080,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -28710,8 +32148,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -28719,6 +32157,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", "value": "Powershell Directory Enumeration" }, @@ -28813,6 +32260,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -28914,6 +32368,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -28946,42 +32407,17 @@ "attack.t1553.004" ] }, - "uuid": "42821614-9264-4761-acfc-5772c3286f76", - "value": "Root Certificate Installed - PowerShell" - }, - { - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cl_mutexverifiers_lolscript_count.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, "related": [ { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", - "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" + "uuid": "42821614-9264-4761-acfc-5772c3286f76", + "value": "Root Certificate Installed - PowerShell" }, { "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", @@ -29239,9 +32675,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", - "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -29343,6 +32779,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", "value": "Suspicious Remote Thread Source" }, @@ -29413,7 +32858,7 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", + "https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" ], "tags": [ @@ -29537,6 +32982,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "value": "Suspicious Driver Load from Temp" }, @@ -29561,6 +33015,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c676970-af4f-43c8-80af-ec9b49952852", "value": "Vulnerable AVAST Anti Rootkit Driver Load" }, @@ -29578,10 +33041,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1551449425842786306", - "https://github.com/fengjixuchui/gdrv-loader", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/fengjixuchui/gdrv-loader", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -29589,6 +33052,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "value": "Vulnerable GIGABYTE Driver Load" }, @@ -29613,6 +33085,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "295c9289-acee-4503-a571-8eacaef36b28", "value": "Vulnerable HackSys Extreme Vulnerable Driver Load" }, @@ -29622,8 +33103,8 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/03", "falsepositive": [ - "False positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)" + "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], "filename": "driver_load_win_vuln_drivers_names.yml", "level": "medium", @@ -29632,16 +33113,16 @@ "refs": [ "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/stong/CVE-2020-15368", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/jbaines-r7/dellicious", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/jbaines-r7/dellicious", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -29651,6 +33132,13 @@ ] }, "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -29708,8 +33196,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -29717,6 +33205,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "value": "Vulnerable WinRing0 Driver Load" }, @@ -29777,21 +33274,21 @@ "logsource.product": "windows", "refs": [ "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", "https://github.com/stong/CVE-2020-15368", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/jbaines-r7/dellicious", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", "https://github.com/tandasat/ExploitCapcom", "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/jbaines-r7/dellicious", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29801,6 +33298,13 @@ ] }, "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -29942,9 +33446,9 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/winsiderss/systeminformer", - "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", + "https://processhacker.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], "tags": [ @@ -29987,6 +33491,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9bacc538-d1b9-4d42-862e-469eafc05a41", "value": "Vulnerable HW Driver Load" }, @@ -30074,8 +33587,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -30117,8 +33630,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -30126,6 +33639,15 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "value": "Python Initiated Connection" }, @@ -30142,8 +33664,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" ], "tags": [ @@ -30153,6 +33675,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", "value": "Notepad Making Network Connection" }, @@ -30170,8 +33701,8 @@ "logsource.product": "windows", "refs": [ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -30268,8 +33799,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -30379,6 +33910,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", "value": "Suspicious Outbound RDP Connections" }, @@ -30395,8 +33935,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -30439,7 +33979,7 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" ], "tags": [ @@ -30492,6 +34032,13 @@ ] }, "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -30535,6 +34082,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", @@ -30655,10 +34209,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -30891,6 +34445,22 @@ "attack.t1550.003" ] }, + "related": [ + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "value": "Suspicious Outbound Kerberos Connection" }, @@ -30958,6 +34528,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", @@ -30976,8 +34553,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30997,6 +34574,41 @@ "uuid": "18249279-932f-45e2-b37a-8925f2597670", "value": "Communication To Ngrok.Io" }, + { + "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", + "meta": { + "author": "Gavin Knapp", + "creation_date": "2023/02/16", + "falsepositive": [ + "Legitimate applications communicating with the Reddit API e.g. web browsers not in exclusion list, app with an RSS etc." + ], + "filename": "net_connection_win_reddit_api_non_browser_access.yml", + "level": "low", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://github.com/kleiton0x00/RedditC2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102" + ] + }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d7b09985-95a3-44be-8450-b6eadf49833e", + "value": "Suspicious Non-Browser Network Communication With Reddit API" + }, { "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", "meta": { @@ -31120,8 +34732,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -31154,8 +34766,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -31176,8 +34788,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -31319,8 +34931,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -31332,6 +34944,129 @@ "uuid": "07a99744-56ac-40d2-97b7-2095967b0e03", "value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique" }, + { + "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", + "meta": { + "author": "@41thexplorer", + "creation_date": "2018/11/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", + "value": "APT29 2018 Phishing Campaign File Indicators" + }, + { + "description": "Detects files written by the different tools that exploit HiveNightmare", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/23", + "falsepositive": [ + "Files that accidentally contain these strings" + ], + "filename": "file_event_win_hktl_hivenightmare_file_exports.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" + ] + }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "value": "Typical HiveNightmare SAM File Export" + }, + { + "description": "Detects the creation of a macro file for Outlook.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_office_outlook_susp_macro_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "117d3d3a-755c-4a61-b23e-9171146d094c", + "value": "Suspicious Outlook Macro Created" + }, { "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", "meta": { @@ -31345,11 +35080,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -31449,37 +35184,6 @@ "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", "value": "Creation of a Diagcab" }, - { - "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", - "meta": { - "author": "@41thexplorer, Microsoft Defender ATP", - "creation_date": "2018/11/20", - "falsepositive": "No established falsepositives", - "filename": "file_event_win_apt_unidentified_nov_18.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "value": "Unidentified Attacker November 2018 - File" - }, { "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "meta": { @@ -31535,6 +35239,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", "value": "Suspicious PROCEXP152.sys File Created In TMP" }, @@ -31551,11 +35264,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/helpsystems/nanodump", "https://www.google.com/search?q=procdump+lsass", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -31610,38 +35323,57 @@ "value": "CVE-2021-26858 Exchange Exploitation" }, { - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/02/04", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/22", "falsepositive": [ - "Very unlikely" + "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], - "filename": "file_event_win_hack_dumpert.yml", - "level": "critical", + "filename": "file_event_win_office_onenote_files_in_susp_locations.yml", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", - "value": "Dumpert Process Dumper Default File" + "uuid": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", + "value": "OneNote Attachment File Dropped In Suspicious Location" + }, + { + "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/09", + "falsepositive": [ + "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", + "Occasional FPs might occur if OneNote is used internally to share different embedded documents" + ], + "filename": "file_event_win_office_onenote_susp_dropped_files.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "fcc6d700-68d9-4241-9a1a-06874d621b06", + "value": "Suspicious File Created Via OneNote Application" }, { "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", @@ -31656,8 +35388,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -31700,7 +35432,7 @@ ] }, "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "value": "Creation Suspicious File In Uncommon AppData Folder" + "value": "Suspicious File Creation In Uncommon AppData Folder" }, { "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", @@ -31715,11 +35447,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -31760,6 +35492,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "value": "Suspicious Files in Default GPO Folder" }, @@ -31784,6 +35525,15 @@ "attack.t1547.009" ] }, + "related": [ + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "value": "Creation Exe for Service with Unquoted Path" }, @@ -31841,32 +35591,6 @@ "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "value": "Windows Shell File Write to Suspicious Folder" }, - { - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "meta": { - "author": "Subhash Popuri (@pbssubhash)", - "creation_date": "2021/08/21", - "falsepositive": [ - "Any powershell script that creates bat files" - ], - "filename": "file_event_win_detect_powerup_dllhijacking.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_detect_powerup_dllhijacking.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" - ] - }, - "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", - "value": "Powerup Write Hijack DLL" - }, { "description": "Detects programs on a Windows system that should not write executables to disk", "meta": { @@ -31922,22 +35646,22 @@ "value": "WScript or CScript Dropper - File" }, { - "description": "Detects add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", + "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", "meta": { "author": "NVISO", "creation_date": "2020/05/11", "falsepositive": [ "Legitimate add-ins" ], - "filename": "file_event_win_office_persistence.yml", + "filename": "file_event_win_office_addin_persistence.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "Internal Research", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ "attack.persistence", @@ -31954,57 +35678,7 @@ } ], "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", - "value": "Microsoft Office Add-In Loading" - }, - { - "description": "Detects the creation of a macro file for Outlook.\nGoes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.\nParticularly interesting if both events Registry & File Creation happens at the same time.\n", - "meta": { - "author": "@ScoubiMtl", - "creation_date": "2021/04/05", - "falsepositive": [ - "User genuinely creates a VB Macro for their email" - ], - "filename": "file_event_win_outlook_c2_macro_creation.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" - ] - }, - "related": [ - { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", - "value": "Outlook C2 Macro Creation" + "value": "Potential Persistence Via Microsoft Office Add-In" }, { "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", @@ -32053,9 +35727,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -32079,37 +35753,64 @@ "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" }, { - "description": "Detects Mimikatz MemSSP default log file creation", + "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", "meta": { - "author": "David ANDRE", - "creation_date": "2021/12/20", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/08", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "file_event_win_mimikatz_memssp_log_file.yml", - "level": "critical", + "filename": "file_event_win_lolbin_gather_network_info_script_output.yml", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml" + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.discovery" + ] + }, + "uuid": "f92a6f1e-a512-4a15-9735-da09e78d7273", + "value": "GatherNetworkInfo.VBS Reconnaissance Script Output" + }, + { + "description": "Detects the creation of a new Outlook form which can contain malicious code", + "meta": { + "author": "Tobias Michalski (Nextron Systems)", + "creation_date": "2021/06/10", + "falsepositive": [ + "Legitimate use of outlook forms" + ], + "filename": "file_event_win_office_outlook_newform.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.003" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", - "value": "Mimikatz MemSSP Default Log File Creation" + "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "value": "Potential Persistence Via Outlook Form" }, { "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", @@ -32134,6 +35835,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder" }, @@ -32150,8 +35860,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -32163,6 +35873,13 @@ ] }, "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -32187,8 +35904,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -32197,6 +35914,15 @@ "attack.t1542.001" ] }, + "related": [ + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "value": "UEFI Persistence Via Wpbbin - FileCreation" }, @@ -32268,6 +35994,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ @@ -32322,6 +36055,15 @@ "attack.t1574.001" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "value": "Creation of an WerFault.exe in Unusual Folder" }, @@ -32381,6 +36123,13 @@ ] }, "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", "tags": [ @@ -32392,41 +36141,6 @@ "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", "value": "Octopus Scanner Malware" }, - { - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_inveigh_artefacts.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", - "value": "Inveigh Execution Artefacts" - }, { "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", "meta": { @@ -32451,6 +36165,13 @@ ] }, "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -32463,7 +36184,7 @@ "value": "Created Files by Microsoft Sync Center" }, { - "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/28", @@ -32516,6 +36237,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", "value": "Potential RipZip Attack on Startup Folder" }, @@ -32532,10 +36262,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], @@ -32544,33 +36274,18 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", "value": "Advanced IP Scanner - File Event" }, - { - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_error_handler_cmd_persistence.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/last-byte/PersistenceSniper", - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "15904280-565c-4b73-9303-3291f964e7f9", - "value": "Potential Persistence Attempt Via ErrorHandler.Cmd" - }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { @@ -32618,23 +36333,23 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/AlsidOfficial/WSUSpendu/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/PowerShellMafia/PowerSploit", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/besimorhino/powercat", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -32667,8 +36382,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], @@ -32686,6 +36401,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", @@ -32721,6 +36443,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", @@ -32739,8 +36468,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -32781,6 +36510,15 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "value": "Files With System Process Name In Unsuspected Locations" }, @@ -32964,8 +36702,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" ], "tags": [ @@ -33032,6 +36770,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ @@ -33065,6 +36810,15 @@ "attack.t1547.009" ] }, + "related": [ + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", "value": "Suspicious desktop.ini Action" }, @@ -33112,6 +36866,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "value": "Potential Winnti Dropper Activity" }, @@ -33128,8 +36891,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -33149,6 +36912,41 @@ "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "value": "Suspicious PFX File Creation" }, + { + "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", + "meta": { + "author": "Vadim Varganov, Florian Roth (Nextron Systems)", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_msdt_susp_directories.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" + ] + }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", + "value": "File Creation In Suspicious Directory By Msdt.EXE" + }, { "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", "meta": { @@ -33185,28 +36983,39 @@ "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" }, { - "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", + "description": "Detects the creation of an file in user Word Startup", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/08", + "author": "frack113", + "creation_date": "2022/06/05", "falsepositive": [ - "Unlikely" + "Addition of legitimate plugins" ], - "filename": "file_event_win_mimikatz_kirbi_file_creation.yml", - "level": "critical", + "filename": "file_event_win_office_winword_startup.yml", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_winword_startup.yml" ], "tags": [ - "attack.credential_access", - "attack.t1558" + "attack.resource_development", + "attack.t1587.001" ] }, - "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", - "value": "Mimikatz Kirbi File Creation" + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "value": "Creation In User Word Startup Folder" }, { "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", @@ -33222,9 +37031,9 @@ "logsource.product": "windows", "refs": [ "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -33242,7 +37051,42 @@ } ], "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "value": "NET CLR Binary Execution Usage Log Artifact" + "value": "Suspicious DotNET CLR Usage Log Artifact" + }, + { + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_hktl_inveigh_artefacts.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "value": "Inveigh Execution Artefacts" }, { "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", @@ -33283,8 +37127,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], @@ -33293,6 +37137,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "value": "Suspicious ASPX File Drop by Exchange" }, @@ -33307,8 +37160,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -33337,37 +37190,38 @@ "value": "Adwind RAT / JRAT File Artifact" }, { - "description": "Detects the creation of new Outlook form which can contain malicious code", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { - "author": "Tobias Michalski (Nextron Systems)", - "creation_date": "2021/06/10", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/02/04", "falsepositive": [ - "Unknown" + "Very unlikely" ], - "filename": "file_event_win_outlook_newform.yml", - "level": "high", + "filename": "file_event_win_hktl_dumpert.yml", + "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ - "attack.persistence", - "attack.t1137.003" + "attack.credential_access", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", - "value": "Outlook Form Installation" + "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "value": "Dumpert Process Dumper Default File" }, { "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", @@ -33416,8 +37270,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" ], "tags": [ @@ -33470,6 +37324,40 @@ "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", "value": "Anydesk Temporary Artefact" }, + { + "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", + "meta": { + "author": "Florian Roth (Nextron Systems), David ANDRE", + "creation_date": "2021/11/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_hktl_mimikatz_files.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558" + ] + }, + "related": [ + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "value": "Mimikatz Kirbi File Creation" + }, { "description": "Detects the creation of the default output filename used by the wmicexec tool", "meta": { @@ -33504,29 +37392,54 @@ "value": "Wmiexec Default Output File" }, { - "description": "A office file with macro is created from a commandline or a script", + "description": "Detects the creation of a macro file for Outlook.", "meta": { - "author": "frack113", - "creation_date": "2022/01/23", + "author": "@ScoubiMtl", + "creation_date": "2021/04/05", "falsepositive": [ - "Unknown" + "User genuinely creates a VB Macro for their email" ], - "filename": "file_event_win_macro_file.yml", + "filename": "file_event_win_office_outlook_macro_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml" ], "tags": [ - "attack.initial_access", - "attack.t1566.001" + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" ] }, - "uuid": "b1c50487-1967-4315-a026-6491686d860e", - "value": "Dump Office Macro Files from Commandline" + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "value": "New Outlook Macro Created" }, { "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", @@ -33562,12 +37475,11 @@ "value": "Suspicious Screensaver Binary File Creation" }, { - "description": "Attempts to detect PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE", "creation_date": "2021/10/24", "falsepositive": [ - "Unknown", "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "filename": "file_event_win_powershell_startup_shortcuts.yml", @@ -33575,8 +37487,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -33584,8 +37496,51 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", - "value": "PowerShell Writing Startup Shortcuts" + "value": "Potential Startup Shortcut Persistence Via PowerShell.EXE" + }, + { + "description": "Detects the creation of a office macro file from a a suspicious process", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_office_macro_files_from_susp_process.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1c50487-1967-4315-a026-6491686d860e", + "value": "Office Macro File Creation From Suspicious Process" }, { "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", @@ -33652,7 +37607,7 @@ } ], "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", - "value": "Dynamic C Sharp Compile Artefact" + "value": "Dynamic CSharp Compile Artefact" }, { "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", @@ -33667,8 +37622,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -33676,6 +37631,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", "value": "Startup Folder File Write" }, @@ -33714,7 +37678,7 @@ "value": "UAC Bypass Using NTFS Reparse Point - File" }, { - "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", + "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/11", @@ -33726,10 +37690,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], "tags": [ @@ -33762,9 +37726,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -33785,38 +37749,28 @@ "value": "Suspicious NTDS Exfil Filename Patterns" }, { - "description": "Detects default lsass dump filename from SafetyKatz", + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", "meta": { - "author": "Markus Neis", - "creation_date": "2018/07/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/09", "falsepositive": [ - "Rare legitimate files with similar filename structure" + "Unknown" ], - "filename": "file_event_win_ghostpack_safetykatz.yml", - "level": "high", + "filename": "file_event_win_persistence_error_handler_cmd.yml", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" + "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_persistence_error_handler_cmd.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence" ] }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", - "value": "SafetyKatz Default Dump Filename" + "uuid": "15904280-565c-4b73-9303-3291f964e7f9", + "value": "Potential Persistence Attempt Via ErrorHandler.Cmd" }, { "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", @@ -33831,8 +37785,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33990,10 +37944,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/search?q=CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], @@ -34036,6 +37990,15 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", "value": "Moriya Rootkit" }, @@ -34094,6 +38057,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", "value": "Suspicious Unattend.xml File Access" }, @@ -34131,34 +38103,6 @@ "uuid": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "value": "EVTX Created In Uncommon Location" }, - { - "description": "Detects files written by the different tools that exploit HiveNightmare", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/23", - "falsepositive": [ - "Files that accidentally contain these strings" - ], - "filename": "file_event_win_hivenightmare_file_exports.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" - ] - }, - "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "value": "Typical HiveNightmare SAM File Export" - }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { @@ -34193,63 +38137,6 @@ "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, - { - "description": "Detects a dump file written by QuarksPwDump password dumper", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/02/10", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_quarkspw_filedump.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "related": [ - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "value": "QuarksPwDump Dump File" - }, - { - "description": "Detects creation of files with the \".one\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/22", - "falsepositive": [ - "Legitimate usage of \".one\" files from those locations add-ins" - ], - "filename": "file_event_win_one_extension_files_in_susp_locations.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", - "value": "OneNote Attachment File Dropped In Suspicious Location" - }, { "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", "meta": { @@ -34263,9 +38150,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -34285,6 +38172,29 @@ "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", "value": "Suspicious VHD Image Download From Browser" }, + { + "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/08", + "falsepositive": [ + "Legitimate usage of \".pub\" files from those locations" + ], + "filename": "file_event_win_office_publisher_files_in_susp_locations.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/EmericNasi/status/1623224526220804098", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", + "value": "Publisher Attachment File Dropped In Suspicious Location" + }, { "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "meta": { @@ -34379,12 +38289,33 @@ ] }, "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", @@ -34462,7 +38393,7 @@ "creation_date": "2022/06/10", "falsepositive": [ "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins to enhance notepad++ functionality by users" + "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], "filename": "file_event_win_notepad_plus_plus_persistence.yml", "level": "medium", @@ -34479,6 +38410,40 @@ "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", "value": "Potential Persistence Via Notepad++ Plugins" }, + { + "description": "Detects default lsass dump filename from SafetyKatz", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/07/24", + "falsepositive": [ + "Rare legitimate files with similar filename structure" + ], + "filename": "file_event_win_hktl_safetykatz.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", + "value": "SafetyKatz Default Dump Filename" + }, { "description": "Detects windows executables that writes files with suspicious extensions", "meta": { @@ -34547,10 +38512,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -34592,32 +38557,6 @@ "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "value": "CVE-2022-24527 Microsoft Connected Cache LPE" }, - { - "description": "Detects msdt.exe creating files in suspicious directories", - "meta": { - "author": "Vadim Varganov, Florian Roth", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_msdt_autorun.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" - ] - }, - "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", - "value": "MSDT.exe Creates Files in Autorun Directory" - }, { "description": "Detects the creation of an executable by another executable", "meta": { @@ -34674,6 +38613,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", "value": "Suspicious Startup Folder Persistence" }, @@ -34690,8 +38638,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], @@ -34725,8 +38673,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -34734,11 +38682,20 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "value": "ISO File Created Within Temp Folders" }, { - "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system", + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/21", @@ -34750,8 +38707,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/davisrichardg/status/1616518800584704028", "https://aboutdfir.com/the-key-to-identify-psexec/", + "https://twitter.com/davisrichardg/status/1616518800584704028", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_psexec_service_key.yml" ], "tags": [ @@ -34773,6 +38730,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ @@ -34782,7 +38746,7 @@ } ], "uuid": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", - "value": "Potential PSEXEC Remote Execution - FileCreation" + "value": "PSEXEC Remote Execution File Artefact" }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", @@ -34817,6 +38781,41 @@ "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, + { + "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/23", + "falsepositive": [ + "Legitimate macro files downloaded from the internet", + "Legitimate macro files sent as attachemnts via emails" + ], + "filename": "file_event_win_office_macro_files_downloaded.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", + "value": "Office Macro File Download" + }, { "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", "meta": { @@ -34838,6 +38837,15 @@ "attack.t1547.009" ] }, + "related": [ + { + "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", "value": "New Shim Database Created in the Default Directory" }, @@ -34862,6 +38870,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "value": "Windows Webshell Creation" }, @@ -34896,6 +38913,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", @@ -34934,6 +38958,40 @@ "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "value": "WerFault LSASS Process Memory Dump" }, + { + "description": "Detects the creation of a new office macro files on the systems", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/23", + "falsepositive": [ + "Very common in environments that rely heavily on macro documents" + ], + "filename": "file_event_win_office_macro_files_created.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "91174a41-dc8f-401b-be89-7bfc140612a0", + "value": "Office Macro File Creation" + }, { "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", "meta": { @@ -35002,12 +39060,45 @@ "value": "Writing Local Admin Share" }, { - "description": "An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/02/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_hktl_quarkspw_filedump.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", + "value": "QuarksPwDump Dump File" + }, + { + "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", "meta": { "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "creation_date": "2022/04/27", "falsepositive": [ - "The installation of new screen savers." + "The installation of new screen savers by third party software" ], "filename": "file_event_win_new_src_file.yml", "level": "medium", @@ -35018,8 +39109,8 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" ], "tags": [ - "attack.t1218.011", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ] }, "related": [ @@ -35101,9 +39192,44 @@ "value": "Legitimate Application Dropped Archive" }, { - "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Subhash Popuri (@pbssubhash)", + "creation_date": "2021/08/21", + "falsepositive": [ + "Any powershell script that creates bat files" + ], + "filename": "file_event_win_hktl_powerup_dllhijacking.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "value": "Powerup Write Hijack DLL" + }, + { + "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "creation_date": "2022/12/01", "falsepositive": [ "Unknown" @@ -35113,11 +39239,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -35128,8 +39255,24 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", - "value": "Creation Of Non-Existent DLLs In System Folders" + "value": "Creation Of Non-Existent System DLL" }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", @@ -35144,7 +39287,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" ], "tags": [ @@ -35161,6 +39304,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", @@ -35199,66 +39349,6 @@ "uuid": "7d604714-e071-49ff-8726-edeb95a70679", "value": "Legitimate Application Dropped Script" }, - { - "description": "Detects the creation of an file in user Word Startup", - "meta": { - "author": "frack113", - "creation_date": "2022/06/05", - "falsepositive": [ - "Addition of legitimate plugins" - ], - "filename": "file_event_win_susp_winword_startup.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "http://addbalance.com/word/startup.htm", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", - "value": "Creation In User Word Startup Folder" - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", - "falsepositive": [ - "Very unlikely" - ], - "filename": "file_event_win_pingback_backdoor.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ] - }, - "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "value": "Pingback Backdoor - File" - }, { "description": "Detects Rclone config file being created", "meta": { @@ -35305,8 +39395,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -35316,9 +39406,52 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", "value": "DLL Search Order Hijackig Via Additional Space in Path" }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_malware_pingback_backdoor.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_malware_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", + "value": "Pingback Backdoor File Indicators" + }, { "description": "Detects the creation of tasks from processes executed from suspicious locations", "meta": { @@ -35341,6 +39474,15 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", "value": "Suspicious Scheduled Task Write to System32 Tasks" }, @@ -35357,8 +39499,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -35391,8 +39533,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://twitter.com/ffforward/status/1481672378639912960", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", + "https://twitter.com/ffforward/status/1481672378639912960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" ], "tags": "No established tags" @@ -35401,32 +39543,144 @@ "value": "Rename Common File to DLL File" }, { - "description": "Detects the deletion of WebServer access logs which may indicate an attempt to destroy forensic evidence", + "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/16", "falsepositive": [ "During uninstallation of the IIS service", "During log rotation" ], - "filename": "file_delete_win_webserver_access_logs_deleted.yml", + "filename": "file_delete_win_delete_iis_access_logs.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml" ], "tags": [ "attack.defense_evasion", "attack.t1070" ] }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", - "value": "WebServer Access Logs Deleted" + "value": "IIS WebServer Access Logs Deleted" }, { - "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_delete_teamviewer_logs.yml", + "level": "low", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", + "value": "TeamViewer Log File Deleted" + }, + { + "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" + ] + }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "value": "Potential PrintNightmare Exploitation Attempt" + }, + { + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/26", + "falsepositive": [ + "Possible FP during log rotation" + ], + "filename": "file_delete_win_delete_exchange_powershell_logs.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "value": "Exchange PowerShell Cmdlet History Deleted" + }, + { + "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", "meta": { "author": "frack113", "creation_date": "2022/01/02", @@ -35456,10 +39710,43 @@ } ], "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", - "value": "Deletes Backup Files" + "value": "Backup Files Deleted" }, { - "description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", + "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_delete_event_log_files.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", + "value": "EventLog EVTX File Deleted" + }, + { + "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/05/02", @@ -35471,8 +39758,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -35490,43 +39777,45 @@ } ], "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", - "value": "Sysinternals SDelete File Deletion" + "value": "File Deleted Via Sysinternals SDelete" }, { - "description": "Deletion of log files is a known anti-forensic technique", + "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", "meta": { - "author": "frack113", - "creation_date": "2022/01/16", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/16", "falsepositive": [ - "Unknown" + "During uninstallation of the tomcat server", + "During log rotation" ], - "filename": "file_delete_win_delete_appli_log.yml", - "level": "low", + "filename": "file_delete_win_delete_tomcat_logs.yml", + "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" + "https://linuxhint.com/view-tomcat-logs-windows/", + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1070.004" + "attack.t1070" ] }, "related": [ { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", - "value": "Delete Log from Application" + "uuid": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", + "value": "Tomcat WebServer Logs Deleted" }, { - "description": "Detects the deletion of a prefetch file (AntiForensic)", + "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Cedric MAURUGEON", "creation_date": "2021/09/29", @@ -35555,49 +39844,45 @@ } ], "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "value": "Prefetch File Deletion" + "value": "Prefetch File Deleted" }, { - "description": "Detect DLL deletions from Spooler Service driver folder", + "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/07/01", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", "falsepositive": [ "Unknown" ], - "filename": "file_delete_win_cve_2021_1675_printspooler_del.yml", - "level": "high", + "filename": "file_delete_win_delete_powershell_command_history.yml", + "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml" ], "tags": [ - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.t1070" ] }, "related": [ { - "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "value": "Windows Spooler Service Suspicious File Deletion" + "uuid": "ff301988-c231-4bd0-834c-ac9d73b86586", + "value": "PowerShell Console History Logs Deleted" }, { "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -35615,32 +39900,17 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", - "value": "Unusual File Deletion by dns.exe" - }, - { - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/26", - "falsepositive": [ - "Possible FP during log rotation" - ], - "filename": "file_delete_win_exchange_powershell_logs.yml", - "level": "high", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", - "value": "Exchange PowerShell Cmdlet History Deleted" + "value": "Unusual File Deletion by Dns.exe" }, { "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", @@ -35655,8 +39925,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -35726,8 +39996,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/lclevy/firepwd", "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35745,7 +40015,7 @@ } ], "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "value": "Browser Credential Store Access" + "value": "Suspicious Access To Browser Credential Files" }, { "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", @@ -35784,7 +40054,7 @@ { "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -35802,13 +40072,22 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "value": "Unusual File Modification by dns.exe" }, { "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", "meta": { - "author": "frack113, Florian Roth", + "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Changes made to or by the local NTP service" @@ -35944,17 +40223,17 @@ "author": "frack113, Connor Martin", "creation_date": "2022/07/11", "falsepositive": [ - "Legitimate usage of the softwares mentioned above" + "Legitimate usage of the software mentioned above" ], "filename": "dns_query_win_remote_access_software_domains.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35987,8 +40266,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -36096,8 +40375,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -36184,6 +40463,41 @@ "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "value": "DNS Query Tor Onion Address - Sysmon" }, + { + "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", + "meta": { + "author": "Dusty Miller", + "creation_date": "2023/02/23", + "falsepositive": [ + "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" + ], + "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations", + "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "70761fe8-6aa2-4f80-98c1-a57049c08e66", + "value": "Potential SocGholish Second Stage C2 DNS Query" + }, { "description": "Detect suspicious LDAP request from non-Windows application", "meta": { @@ -36217,37 +40531,6 @@ "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "value": "Suspicious LDAP Domain Access" }, - { - "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": "No established falsepositives", - "filename": "dns_query_win_possible_dns_rebinding.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1189" - ] - }, - "related": [ - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", - "value": "Possible DNS Rebinding" - }, { "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", "meta": { @@ -36261,8 +40544,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], "tags": [ @@ -36282,64 +40565,6 @@ "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "value": "Suspicious DNS Query for IP Lookup Service APIs" }, - { - "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", - "meta": { - "author": "frack113", - "creation_date": "2022/12/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_tamper_defender.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1546.008" - ] - }, - "uuid": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", - "value": "WMIC Tamper Windows Defender" - }, - { - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", - "falsepositive": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" - ], - "filename": "proc_creation_win_msedge_minimized_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", - "value": "Suspicious Minimized MSEdge Start" - }, { "description": "Performs execution of specified file, can be used for defensive evasion.", "meta": { @@ -36373,39 +40598,6 @@ "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", "value": "Suspicious Subsystem for Linux Bash Execution" }, - { - "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/06/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lethalhta.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005" - ] - }, - "related": [ - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", - "value": "MSHTA Spwaned by SVCHOST" - }, { "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", "meta": { @@ -36440,32 +40632,6 @@ "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "value": "MMC20 Lateral Movement" }, - { - "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_whoami_as_priv_user.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nsudo.m2team.org/en-us/", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "value": "Run Whoami as Privileged User" - }, { "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "meta": { @@ -36490,16 +40656,46 @@ "attack.t1087" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "value": "Webshell Hacking Activity Patterns" }, { - "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", + "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "creation_date": "2022/06/09", "falsepositive": [ - "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" + "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" ], "filename": "proc_creation_win_lolbin_squirrel.yml", "level": "medium", @@ -36507,16 +40703,61 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" ], "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.execution", + "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "value": "Use of Squirrel.exe" }, + { + "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/03", + "falsepositive": [ + "Legitimate usage for administration purposes" + ], + "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.005" + ] + }, + "related": [ + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", + "value": "New Generic Credentials Added Via Cmdkey.EXE" + }, { "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "meta": { @@ -36538,9 +40779,53 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "value": "Add SafeBoot Keys Via Reg Utility" }, + { + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "84232095-ecca-4015-b0d7-7726507ee793", + "value": "Suspicious DLL Loaded via CertOC.EXE" + }, { "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", "meta": { @@ -36575,38 +40860,38 @@ "value": "Rundll32 InstallScreenSaver Execution" }, { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", "meta": { - "author": "frack113", - "creation_date": "2021/07/13", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/18", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_athremotefxvgpudisablementcommand.yml", - "level": "medium", + "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.persistence", + "attack.t1543.003" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" + "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, { "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", @@ -36641,106 +40926,6 @@ "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "value": "Suspicious Control Panel DLL Load" }, - { - "description": "Detects Silence downloader. These commands are hardcoded into the binary.", - "meta": { - "author": "Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community", - "creation_date": "2019/11/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_silence_downloader_v3.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.discovery", - "attack.t1057", - "attack.t1082", - "attack.t1016", - "attack.t1033", - "attack.g0091" - ] - }, - "uuid": "170901d1-de11-4de7-bccb-8fa13678d857", - "value": "Silence.Downloader V3" - }, - { - "description": "Detects suspicious process related to rundll32 based on arguments", - "meta": { - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_rundll32_activity.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/eral4m/status/1479106975967240209", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/Hexacorn/status/885258886428725250", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/eral4m/status/1479080793003671557", - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "value": "Suspicious Rundll32 Activity" - }, - { - "description": "Detects a PsExec service start", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/03/13", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_psexesvc_start.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml" - ], - "tags": [ - "attack.execution", - "attack.s0029", - "attack.t1569.002" - ] - }, - "related": [ - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", - "value": "PsExec Service Start" - }, { "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", "meta": { @@ -36775,43 +40960,71 @@ "value": "Suspicious DIR Execution" }, { - "description": "Detects user accept agreement execution in psexec commandline", + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "meta": { - "author": "omkar72", - "creation_date": "2020/10/30", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/21", "falsepositive": [ - "Administrative scripts." + "Unknown" ], - "filename": "proc_creation_win_susp_psexec_eula.yml", - "level": "medium", + "filename": "proc_creation_win_renamed_adfind.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ - "attack.execution", - "attack.t1569", - "attack.t1021" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ] }, "related": [ { - "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", - "value": "Psexec Accepteula Condition" + "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "value": "Renamed AdFind Execution" }, { - "description": "Detects specific process parameters as seen in DTRACK infections", + "description": "Detects potential Dtrack RAT activity via specific process patterns", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/10/30", "falsepositive": [ "Unlikely" @@ -36821,9 +41034,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://securelist.com/my-name-is-dtrack/93338/", + "https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -36841,7 +41056,7 @@ } ], "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "value": "DTRACK Process Creation" + "value": "Potential Dtrack RAT Activity" }, { "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", @@ -36865,6 +41080,15 @@ "car.2016-03-001" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "value": "WhoAmI as Parameter" }, @@ -36881,8 +41105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -36964,8 +41188,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36998,8 +41222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" ], "tags": [ @@ -37028,75 +41252,6 @@ "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "value": "DNS RCE CVE-2020-1350" }, - { - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/14", - "falsepositive": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" - ], - "filename": "proc_creation_win_susp_ntdsutil_usage.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", - "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" - }, - { - "description": "Detects suspicious use of XORDump process memory dumping utility", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/28", - "falsepositive": [ - "Another tool that uses the command line switches of XORdump" - ], - "filename": "proc_creation_win_xordump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/audibleblink/xordump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "value": "XORDump Use" - }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", "meta": { @@ -37111,8 +41266,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -37183,33 +41338,18 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "value": "Taskmgr as Parent" }, - { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "meta": { - "author": "frack113", - "creation_date": "2021/12/11", - "falsepositive": [ - "Administrator, hotline ask to user" - ], - "filename": "proc_creation_win_susp_tasklist_command.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ] - }, - "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", - "value": "Suspicious Tasklist Discovery Command" - }, { "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "meta": { @@ -37243,39 +41383,6 @@ "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "value": "Microsoft IIS Connection Strings Decryption" }, - { - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/10/08", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_iox.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/EddieIvan01/iox", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iox.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "related": [ - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", - "value": "IOX Tunneling Tool" - }, { "description": "Detects process dump via legitimate sqldumper.exe binary", "meta": { @@ -37289,8 +41396,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], @@ -37332,6 +41439,15 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", "value": "Suspicious Query of MachineGUID" }, @@ -37382,8 +41498,8 @@ "logsource.product": "windows", "refs": [ "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -37399,6 +41515,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "96036718-71cc-4027-a538-d1587e0006a7", @@ -37427,6 +41550,30 @@ "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", "value": "Query Usage To Exfil Data" }, + { + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", + "value": "Wusa Extracting Cab Files From Suspicious Paths" + }, { "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", "meta": { @@ -37448,6 +41595,15 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "value": "Use of PktMon.exe" }, @@ -37485,109 +41641,6 @@ "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, - { - "description": "Downloads payload from remote server", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_msoffice.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "Reegun J (OCBC Bank)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", - "value": "Malicious Payload Download via Office Binaries" - }, - { - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/08/26", - "falsepositive": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" - ], - "filename": "proc_creation_win_crime_snatch_ransomware.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", - "value": "Snatch Ransomware" - }, - { - "description": "Detects indicators of a UAC bypass method by mocking directories", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_uac_bypass_trustedpath.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", - "value": "TrustedPath UAC Bypass Pattern" - }, { "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "meta": { @@ -37601,8 +41654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -37623,50 +41676,76 @@ "value": "Use of Wfc.exe" }, { - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "description": "Detects the execution of whoami.exe with suspicious parent processes.", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/06/28", + "creation_date": "2021/08/12", "falsepositive": [ - "Unknown" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], - "filename": "proc_creation_win_bitsadmin_download_susp_ip.yml", + "filename": "proc_creation_win_whoami_parent_anomaly.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ] }, "related": [ { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "99c840f2-2012-46fd-9141-c761987550ef", - "value": "Bitsadmin Download File from IP" + "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "value": "Whoami.EXE Execution Anomaly" + }, + { + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_sharp_chisel.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ] + }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "value": "HackTool - SharpChisel Execution" }, { "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", @@ -37681,8 +41760,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], @@ -37711,6 +41790,42 @@ "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "value": "Suspicious LSASS Process Clone" }, + { + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_whoami_susp_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", + "value": "Suspicious Whoami.EXE Execution" + }, { "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", "meta": { @@ -37724,9 +41839,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/electron/rcedit", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" ], "tags": [ @@ -37745,17 +41860,133 @@ ], "type": "related-to" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "value": "Potential PE Metadata Tamper Using Rcedit" }, + { + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/14", + "falsepositive": [ + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + ], + "filename": "proc_creation_win_pua_ngrok.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "value": "PUA - Ngrok Execution" + }, + { + "description": "Detects AdFind execution with common flags seen used during attacks", + "meta": { + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "creation_date": "2021/02/02", + "falsepositive": [ + "Legitimate admin activity" + ], + "filename": "proc_creation_win_adfind_susp_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adfind_susp_usage.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ] + }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", + "value": "AdFind Suspicious Execution" + }, { "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", "meta": { @@ -37769,9 +42000,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37844,17 +42075,20 @@ "author": "Craig Young, oscd.community, Georg Lauenstein", "creation_date": "2021/07/24", "falsepositive": [ - "Legitimate administration use but user must be check out" + "Legitimate administration use but user and host must be investigated" ], "filename": "proc_creation_win_nltest_recon.yml", - "level": "medium", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37864,6 +42098,13 @@ ] }, "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ @@ -37875,39 +42116,6 @@ "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "value": "Potential Recon Activity Via Nltest.EXE" }, - { - "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware", - "meta": { - "author": "Sander Wiebing", - "creation_date": "2020/05/23", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_netsh_allow_port_rdp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "related": [ - { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", - "value": "Netsh RDP Port Opening" - }, { "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { @@ -37944,6 +42152,48 @@ "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "value": "CMSTP Execution Process Creation" }, + { + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "meta": { + "author": "Sreeman, Nasreddine Bencherchali", + "creation_date": "2020/01/13", + "falsepositive": [ + "Administrative scripts (installers)" + ], + "filename": "proc_creation_win_cmd_curl_download_and_start_combo.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_and_start_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "value": "Suspicious Curl Download And Execute Combination" + }, { "description": "Detects WannaCry ransomware activity", "meta": { @@ -37980,6 +42230,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "tags": [ @@ -38003,27 +42260,28 @@ } ], "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", - "value": "WannaCry Ransomware" + "value": "WannaCry Ransomware Activity" }, { - "description": "schtasks.exe create task from user AppData\\Local\\Temp", + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", "meta": { - "author": "frack113", - "creation_date": "2021/11/03", + "author": "Olaf Hartong", + "creation_date": "2019/05/22", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_schtasks_user_temp.yml", + "filename": "proc_creation_win_exploit_other_bearlpe.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml" + "https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_bearlpe.yml" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" ] }, "related": [ @@ -38035,42 +42293,44 @@ "type": "related-to" } ], - "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", - "value": "Suspicious Add Scheduled Task From User AppData Temp" + "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "value": "Potential BearLPE Exploitation" }, { - "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", - "creation_date": "2018/04/06", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "creation_date": "2023/02/14", "falsepositive": [ - "Unknown" + "Asset management software", + "During software installations" ], - "filename": "proc_creation_win_office_shell.yml", - "level": "high", + "filename": "proc_creation_win_wmic_recon_product.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1047", + "car.2016-03-002" ] }, "related": [ { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "438025f9-5856-4663-83f7-52f878a70a50", - "value": "Microsoft Office Product Spawning Windows Shell" + "uuid": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "value": "Potential Product Reconnaissance Via Wmic.EXE" }, { "description": "Detects presence of a potentially xor encoded powershell command", @@ -38085,10 +42345,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://redcanary.com/blog/yellow-cockatoo/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -38113,163 +42373,170 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "value": "Suspicious XOR Encoded PowerShell Command" }, { - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "description": "Detects suspicious use of XORDump process memory dumping utility", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/15", + "creation_date": "2022/01/28", "falsepositive": [ - "Unknown" + "Another tool that uses the command line switches of XORdump" ], - "filename": "proc_creation_win_hack_sharpersist.yml", + "filename": "proc_creation_win_hktl_xordump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", - "https://github.com/mandiant/SharPersist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" + "https://github.com/audibleblink/xordump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml" ], "tags": [ - "attack.persistence", - "attack.t1053" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ] }, - "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", - "value": "SharPersist Usage" + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "value": "HackTool - XORDump Execution" }, { - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "description": "Detect use of PDQ Deploy remote admin tool", "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/25", + "author": "frack113", + "creation_date": "2022/10/01", "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" + "Legitimate use" ], - "filename": "proc_creation_win_susp_direct_asep_reg_keys_modification.yml", + "filename": "proc_creation_win_pdqdeploy_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", - "value": "Direct Autorun Keys Modification" - }, - { - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/12/20", - "falsepositive": [ - "Other programs that use these command line option and accepts an 'All' parameter" - ], - "filename": "proc_creation_win_hack_bloodhound.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/BloodHoundAD/BloodHound", - "https://github.com/BloodHoundAD/SharpHound", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", "attack.execution", - "attack.t1059.001" + "attack.lateral_movement", + "attack.t1072" ] }, "related": [ { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", - "value": "Bloodhound and Sharphound Hack Tool" + "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", + "value": "PDQ Deploy Remote Adminstartion Tool Execution" }, { - "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/06/25", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/04", "falsepositive": [ - "Legitimate software creating script event consumers" + "Command lines that use the same flags" ], - "filename": "proc_creation_win_susp_wmic_eventconsumer_create.yml", + "filename": "proc_creation_win_lolbin_createdump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_createdump.yml" ], "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", - "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" + "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "value": "CreateDump Process Dump" + }, + { + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/03/11", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "filename": "proc_creation_win_schtask_creation_temp_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtask_creation_temp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "value": "Suspicious Scheduled Task Creation Involving Temp Folder" }, { "description": "Detects WMI script event consumers", @@ -38309,7 +42576,7 @@ { "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022/08/25", "falsepositive": [ "Unlikely" @@ -38319,8 +42586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" ], "tags": [ @@ -38397,27 +42664,6 @@ "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "value": "Suspicious Processes Spawned by WinRM" }, - { - "description": "Detects inline execution of PowerShell code from a file", - "meta": { - "author": "frack113", - "creation_date": "2022/12/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ps_exec_data_file.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_exec_data_file.yml" - ], - "tags": "No established tags" - }, - "uuid": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", - "value": "Powershell Inline Execution From A File" - }, { "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", "meta": { @@ -38440,6 +42686,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", "value": "Suspect Svchost Activity" }, @@ -38476,6 +42731,40 @@ "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "value": "F-Secure C3 Load by Rundll32" }, + { + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "meta": { + "author": "FPT.EagleEye", + "creation_date": "2020/12/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "value": "Potential Emotet Rundll32 Execution" + }, { "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", "meta": { @@ -38533,6 +42822,48 @@ "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "value": "Suspicious Execution Of PDQDeployRunner" }, + { + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_etw_modification_cmdline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "41421f44-58f9-455d-838a-c398859841d4", + "value": "ETW Logging Tamper In .NET Processes" + }, { "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", "meta": { @@ -38567,6 +42898,77 @@ "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", "value": "Suspicious Sigverif Execution" }, + { + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitimate processes that run at logon. Filter according to your environment" + ], + "filename": "proc_creation_win_schtasks_schedule_type.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "value": "Suspicious Schtasks Schedule Types" + }, + { + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/05/22", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + ], + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "207b0396-3689-42d9-8399-4222658efc99", + "value": "Potential Privilege Escalation To LOCAL SYSTEM" + }, { "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", "meta": { @@ -38580,8 +42982,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -38592,6 +42994,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -38603,30 +43012,6 @@ "uuid": "74403157-20f5-415d-89a7-c505779585cf", "value": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, - { - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "meta": { - "author": "Romaissa Adjailia, FLorian Roth", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_susp_psexesvc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", - "value": "PsExec Service Execution" - }, { "description": "Download and compress a remote file and store it in a cab file on local machine.", "meta": { @@ -38661,51 +43046,37 @@ "value": "Suspicious Diantz Download and Compress Into a CAB File" }, { - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/06/28", + "author": "@41thexplorer", + "creation_date": "2018/11/20", "falsepositive": [ - "Some legitimate apps use this, but limited." + "Unlikely" ], - "filename": "proc_creation_win_bitsadmin_download_susp_domain.yml", - "level": "medium", + "filename": "proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml" ], "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" + "attack.execution", + "attack.t1218.011" ] }, "related": [ { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "value": "Bitsadmin Download from Suspicious Domain" + "uuid": "7453575c-a747-40b9-839b-125a0aae324b", + "value": "APT29 2018 Phishing Campaign CommandLine Indicators" }, { "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", @@ -38720,9 +43091,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", - "https://twitter.com/nas_bench/status/1534916659676422152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -38744,40 +43115,102 @@ "value": "Use of Adplus.exe" }, { - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali @nas_bench", - "creation_date": "2022/01/24", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/18", "falsepositive": [ - "Legitimate use by administrators" + "Unknown" ], - "filename": "proc_creation_win_tool_nircmd_as_system.yml", + "filename": "proc_creation_win_hktl_handlekatz.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml" ], "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.credential_access", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "value": "NirCmd Tool Execution As LOCAL SYSTEM" + "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "value": "HackTool - HandleKatz LSASS Dumper Execution" + }, + { + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "meta": { + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "creation_date": "2018/09/03", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line" + }, + { + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/09/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_pua_frp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", + "value": "PUA - Fast Reverse Proxy (FRP) Execution" }, { "description": "Detects wmiexec vbs version execution by wscript or cscript", @@ -38833,41 +43266,17 @@ "attack.t1036" ] }, - "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", - "value": "Taskmgr as LOCAL_SYSTEM" - }, - { - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/04/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_getprocess_lsass.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ] - }, "related": [ { - "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "value": "PowerShell Get-Process LSASS" + "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "value": "Taskmgr as LOCAL_SYSTEM" }, { "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", @@ -38939,38 +43348,39 @@ "value": "UAC Bypass Using IDiagnostic Profile" }, { - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/05", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/28", "falsepositive": [ - "Use of Program Compatibility Troubleshooter Helper" + "Unknown" ], - "filename": "proc_creation_win_susp_pcwutl.yml", - "level": "medium", + "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", - "https://twitter.com/harr0ey/status/989617817849876488", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://twitter.com/0gtweet/status/1628720819537936386", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.persistence", + "attack.t1543.003" ] }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", - "value": "Code Execution via Pcwutl.dll" + "uuid": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", + "value": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", @@ -38985,8 +43395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -38997,6 +43407,36 @@ "attack.t1087" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", "value": "Webshell Detection With Command Line Keywords" }, @@ -39063,39 +43503,44 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", "value": "PowerShell Base64 Encoded Invoke Keyword" }, { - "description": "Detect use of PDQ Deploy remote admin tool", + "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", "meta": { - "author": "frack113", - "creation_date": "2022/10/01", + "author": "Nasreddine Bencherchali", + "creation_date": "2023/02/07", "falsepositive": [ - "Legitimate use" + "Unknown" ], - "filename": "proc_creation_win_pdqdeploy.yml", + "filename": "proc_creation_win_renamed_autohotkey.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", - "https://www.pdq.com/pdq-deploy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy.yml" + "https://www.autohotkey.com/download/", + "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" + "attack.defense_evasion" ] }, - "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", - "value": "PDQ Deploy Remote Adminstartion Tool Execution" + "uuid": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", + "value": "Renamed AutoHotkey.EXE Execution" }, { - "description": "Detects renamed jusched.exe used by cobalt group", + "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", "meta": { "author": "Markus Neis, Swisscom", "creation_date": "2019/06/04", @@ -39126,7 +43571,31 @@ } ], "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "value": "Renamed jusched.exe" + "value": "Renamed Jusched.EXE Execution" + }, + { + "description": "Detects the execution of AdvancedRun utility", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_pua_advancedrun.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" + ], + "tags": "No established tags" + }, + "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "value": "PUA - AdvancedRun Execution" }, { "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", @@ -39163,30 +43632,6 @@ "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", "value": "Suspicious Recursive Takeown" }, - { - "description": "Detects execution of msiexec from an uncommon directory", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/11/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_msiexec_cwd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/200_okay_/status/1194765831911215104", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "value": "Suspicious MsiExec Directory" - }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { @@ -39222,88 +43667,56 @@ "value": "UAC Bypass Using Windows Media Player - Process" }, { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_execution_via_office_process.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_execution_via_office_process.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", - "value": "WMI Execution Via Office Process" - }, - { - "description": "Execution of plink to perform data exfiltration and tunneling", + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/04", + "creation_date": "2018/12/19", "falsepositive": [ - "Administrative activity" + "Unlikely" ], - "filename": "proc_creation_win_susp_plink_usage.yml", - "level": "high", + "filename": "proc_creation_win_hktl_rubeus.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" ] }, "related": [ { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "value": "Potential RDP Tunneling Via SSH Plink" + "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "value": "HackTool - Rubeus Execution" }, { "description": "Detects suspicious inline VBScript keywords as used by UNC2452", @@ -39326,9 +43739,127 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", "value": "Suspicious VBScript UN2452 Pattern" }, + { + "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_whoami_groups_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", + "value": "Group Membership Reconnaissance Via Whoami.EXE" + }, + { + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_git_susp_clone.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1593.003" + ] + }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", + "value": "Suspicious Git Clone" + }, + { + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "meta": { + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_sharp_impersonation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" + ] + }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", + "value": "HackTool - SharpImpersonation Execution" + }, { "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", "meta": { @@ -39362,39 +43893,6 @@ "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", "value": "TAIDOOR RAT DLL Load" }, - { - "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_systemnightmare.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GossiTheDog/SystemNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", - "value": "SystemNightmare Exploitation Script Execution" - }, { "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "meta": { @@ -39408,9 +43906,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -39452,6 +43950,74 @@ "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "value": "Suspicious RASdial Activity" }, + { + "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrators settings a service to disable via script or cli for testing purposes" + ], + "filename": "proc_creation_win_sc_disable_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", + "value": "Sc Or Set-Service Cmdlet Execution to Disable Services" + }, + { + "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_recon_hotfix.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "value": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" + }, { "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "meta": { @@ -39499,10 +44065,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://redcanary.com/blog/raspberry-robin/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -39554,7 +44120,113 @@ } ], "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", - "value": "Download Arbitrary Files Via MSPUB.EXE" + "value": "Arbitrary File Download Via MSPUB.EXE" + }, + { + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", + "meta": { + "author": "frack113", + "creation_date": "2022/12/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "proc_creation_win_powershell_frombase64string_archive.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml" + ], + "tags": "No established tags" + }, + "uuid": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", + "value": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" + }, + { + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "meta": { + "author": "Christian Burkard (Nextron Systems)", + "creation_date": "2021/08/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_computerdefaults.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "value": "UAC Bypass Tools Using ComputerDefaults" + }, + { + "description": "Detects command line parameters used by Koadic hack tool", + "meta": { + "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_koadic.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", + "value": "HackTool - Koadic Execution" }, { "description": "Detects usage of Dsacls to grant over permissive permissions", @@ -39588,7 +44260,7 @@ } ], "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", - "value": "Abusing Permissions Using Dsacls" + "value": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" }, { "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", @@ -39603,8 +44275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -39625,67 +44297,37 @@ "value": "Perl Inline Command Execution" }, { - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", - "creation_date": "2022/05/01", + "creation_date": "2022/02/13", "falsepositive": [ - "Unknown" + "Legitimate use" ], - "filename": "proc_creation_win_susp_gpresult.yml", + "filename": "proc_creation_win_remote_access_tools_gotoopener.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml" ], "tags": [ - "attack.discovery", - "attack.t1615" + "attack.command_and_control", + "attack.t1219" ] }, "related": [ { - "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", - "value": "Gpresult Display Group Policy Information" - }, - { - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "meta": { - "author": "Georg Lauenstein", - "creation_date": "2022/09/19", - "falsepositive": [ - "Other programs that use the same command line flags" - ], - "filename": "proc_creation_win_winpeas_tool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" - ] - }, - "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", - "value": "Detect Execution of winPEAS" + "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", + "value": "Use of GoToAssist Remote Access Software" }, { "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", @@ -39721,52 +44363,6 @@ "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "value": "Execution via stordiag.exe" }, - { - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "meta": { - "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", - "creation_date": "2019/09/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_impacket_lateralization.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", - "value": "Potential Impacket Lateral Movement Activity" - }, { "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "meta": { @@ -39810,50 +44406,49 @@ "value": "Execute Code with Pester.bat" }, { - "description": "Detects creation of a new service.", + "description": "Detects suspicious ways to download files or content using PowerShell", "meta": { - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/21", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/24", "falsepositive": [ - "Legitimate administrator or user creates a service for legitimate reasons." + "Scripts or tools that download files" ], - "filename": "proc_creation_win_new_service_creation.yml", - "level": "low", + "filename": "proc_creation_win_powershell_download_cradles.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_service_creation.yml" + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml" ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] + "tags": "No established tags" }, - "uuid": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", - "value": "New Service Creation" + "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", + "value": "PowerShell Web Download" }, { - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "meta": { - "author": "pH-T (Nextron Systems)", - "creation_date": "2022/07/15", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/20", "falsepositive": [ - "Software installation" + "Unknown" ], - "filename": "proc_creation_win_schtasks_once_0000.yml", + "filename": "proc_creation_win_pua_advancedrun_priv_user.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": "No established tags" }, - "uuid": "970823b7-273b-460a-8afc-3a6811998529", - "value": "Uncommon Scheduled Task Once 00:00" + "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", + "value": "PUA - AdvancedRun Suspicious Execution" }, { "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", @@ -39889,6 +44484,41 @@ "uuid": "75578840-9526-4b2a-9462-af469a45e767", "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, + { + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_trufflesnout.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "value": "HackTool - TruffleSnout Execution" + }, { "description": "Detects a command that accesses password storing registry hives via volume shadow backups", "meta": { @@ -39902,9 +44532,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -39924,6 +44554,94 @@ "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "value": "Sensitive Registry Access via Volume Shadow Copy" }, + { + "description": "Detects LockerGoga ransomware activity via specific command line.", + "meta": { + "author": "Vasiliy Burov, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_lockergoga_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_lockergoga_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "74db3488-fd28-480a-95aa-b7af626de068", + "value": "LockerGoga Ransomware Activity" + }, + { + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/18", + "falsepositive": [ + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" + ], + "filename": "proc_creation_win_sysinternals_psloglist.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" + ] + }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", + "value": "Suspicious Use of PsLogList" + }, { "description": "Detects suspicious parent process for cmd.exe", "meta": { @@ -39958,37 +44676,107 @@ "value": "Unusual Parent Process for cmd.exe" }, { - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "description": "Detects the creation of a new service using the \"sc.exe\" utility.", "meta": { - "author": "Sreeman, Florian Roth", - "creation_date": "2022/01/04", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2023/02/20", "falsepositive": [ - "Unknown" + "Legitimate administrator or user creates a service for legitimate reasons.", + "Software installation" ], - "filename": "proc_creation_win_headless_browser_file_download.yml", - "level": "high", + "filename": "proc_creation_win_sc_create_service.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ] }, "related": [ { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", - "value": "File Download with Headless Browser" + "uuid": "85ff530b-261d-48c6-a441-facaa2e81e48", + "value": "New Service Creation Using Sc.EXE" + }, + { + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate programs executing PowerShell scripts" + ], + "filename": "proc_creation_win_powershell_non_interactive_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f4bbd493-b796-416e-bbf2-121235348529", + "value": "Non Interactive PowerShell Process Spawned" + }, + { + "description": "Detects file execution using the msdeploy.exe lolbin", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_lolbin_msdeploy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/999090532839313408", + "https://twitter.com/pabraeken/status/995837734379032576", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", + "value": "Execute Files with Msdeploy.exe" }, { "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", @@ -40037,8 +44825,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -40058,31 +44846,6 @@ "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "value": "Lolbin Runexehelper Use As Proxy" }, - { - "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/29", - "falsepositive": [ - "Programs that use the same command line flags" - ], - "filename": "proc_creation_win_hack_sharpldapwhoami.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/bugch3ck/SharpLdapWhoami", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "value": "SharpLdapWhoami" - }, { "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", "meta": { @@ -40130,8 +44893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://twitter.com/ClearskySec/status/960924755355369472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], @@ -40176,8 +44939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml" ], "tags": [ @@ -40196,6 +44959,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "tags": [ @@ -40207,30 +44977,6 @@ "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "value": "PowerShell Base64 Encoded Reflective Assembly Load" }, - { - "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", - "meta": { - "author": "frack113", - "creation_date": "2022/01/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uninstall_sysmon.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "value": "Uninstall Sysinternals Sysmon" - }, { "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "meta": { @@ -40244,8 +44990,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -40253,9 +44999,88 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", "value": "Dism Remove Online Package" }, + { + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "filename": "proc_creation_win_persistence_wpbbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_wpbbin.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ] + }, + "related": [ + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", + "value": "UEFI Persistence Via Wpbbin - ProcessCreation" + }, + { + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "meta": { + "author": "frack113", + "creation_date": "2022/12/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_namespace_defender.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1546.008" + ] + }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", + "value": "Potential Windows Defender Tampering Via Wmic.EXE" + }, { "description": "Detecting DNS tunnel activity for Muddywater actor", "meta": { @@ -40269,8 +45094,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -40324,62 +45149,37 @@ "value": "Hiding Files with Attrib.exe" }, { - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/05", + "author": "frack113", + "creation_date": "2021/11/15", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_susp_registration_via_cscript.yml", - "level": "medium", + "filename": "proc_creation_win_reg_bitlocker.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", - "https://ss64.com/vb/cscript.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" + "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.impact", + "attack.t1486" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", - "value": "Suspicious Registration via cscript.exe" - }, - { - "description": "Detects email exfiltration via powershell cmdlets", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_email_exfil_via_powershell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" - ], - "tags": [ - "attack.exfiltration" - ] - }, - "uuid": "312d0384-401c-4b8b-abdf-685ffba9a332", - "value": "Email Exifiltration Via Powershell" + "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "value": "Suspicious Reg Add BitLocker" }, { "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", @@ -40402,33 +45202,87 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", "value": "Execution in Webserver Root Folder" }, { - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", "meta": { - "author": "frack113", - "creation_date": "2021/12/10", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "creation_date": "2020/10/12", "falsepositive": [ - "Network administrator computer" + "Unknown" ], - "filename": "proc_creation_win_nmap_zenmap.yml", + "filename": "proc_creation_win_lolbin_wuauclt.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml" + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml" ], "tags": [ - "attack.discovery", - "attack.t1046" + "attack.defense_evasion", + "attack.t1218", + "attack.execution" ] }, - "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", - "value": "Nmap/Zenmap Execution" + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", + "value": "Proxy Execution via Wuauclt" + }, + { + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "meta": { + "author": "Micah Babinski, @micahbabinski", + "creation_date": "2023/02/15", + "falsepositive": [ + "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" + ], + "filename": "proc_creation_win_susp_right_to_left_override.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/right-to-left-override/", + "https://unicode-explorer.com/c/202E", + "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.002" + ] + }, + "related": [ + { + "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", + "value": "Potential Defense Evasion Via Right-to-Left Override" }, { "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", @@ -40443,8 +45297,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -40454,75 +45308,6 @@ "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, - { - "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2021/11/23", - "falsepositive": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", - "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" - ], - "filename": "proc_creation_win_susp_psexex_paexec_escalate_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", - "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" - }, - { - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "meta": { - "author": "Harjot Singh, '@cyb3rjy0t'", - "creation_date": "2023/01/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ads_stored_dll_execution_rundll32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rundll32", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "related": [ - { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9248c7e1-2bf3-4661-a22c-600a8040b446", - "value": "Potential Rundll32 Execution With DLL Stored In ADS" - }, { "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "meta": { @@ -40536,8 +45321,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -40625,7 +45410,7 @@ "value": "Wlrmdr Lolbin Use as Launcher" }, { - "description": "Detects execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022/12/05", @@ -40637,14 +45422,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -40671,7 +45456,7 @@ } ], "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "value": "Rename Mavinject Execution" + "value": "Renamed Mavinject.EXE Execution" }, { "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", @@ -40686,9 +45471,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -40709,38 +45494,39 @@ "value": "Potential Powershell ReverseShell Connection" }, { - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", "meta": { - "author": "Ivan Dyachkov, oscd.community", - "creation_date": "2020/10/07", + "author": "frack113", + "creation_date": "2022/01/07", "falsepositive": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + "WSL (Windows Sub System For Linux)", + "Other currently unknown software" ], - "filename": "proc_creation_win_susp_diskshadow.yml", - "level": "high", + "filename": "proc_creation_win_mstsc_remote_connection.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ - "attack.execution", - "attack.t1218" + "attack.lateral_movement", + "attack.t1021.001" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "value": "Execution via Diskshadow.exe" + "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", + "value": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, { "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", @@ -40755,8 +45541,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" ], "tags": [ @@ -40766,44 +45552,6 @@ "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", "value": "Potential Signing Bypass Via Windows Developer Features" }, - { - "description": "Detects netsh commands that configure a port forwarding (PortProxy)", - "meta": { - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", - "creation_date": "2019/01/29", - "falsepositive": [ - "Legitimate administration", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" - ], - "filename": "proc_creation_win_netsh_port_fwd.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ] - }, - "related": [ - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "value": "Netsh Port Forwarding" - }, { "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", "meta": { @@ -40828,6 +45576,13 @@ ] }, "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -40837,7 +45592,7 @@ } ], "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", - "value": "MSDT Executed with Suspicious Parent" + "value": "Suspicious MSDT Parent Process" }, { "description": "Detects a set of suspicious network related commands often used in recon stages", @@ -40862,6 +45617,22 @@ "car.2016-03-001" ] }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", "value": "Network Reconnaissance Activity" }, @@ -40891,6 +45662,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -40903,71 +45681,74 @@ "value": "Suspicious PowerShell Command Line" }, { - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/21", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/20", "falsepositive": [ - "Administrative activity" + "Unknown" ], - "filename": "proc_creation_win_susp_rundll32_keymgr.yml", + "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/NinjaParanoid/status/1516442028963659777", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml" + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.execution", + "attack.t1047" ] }, "related": [ { - "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", - "value": "Suspicious Key Manager Access" + "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "value": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" }, { - "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall", + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", "meta": { - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/05/25", + "author": "Sreeman", + "creation_date": "2020/10/29", "falsepositive": [ - "Legitimate administration" + "Unknown" ], - "filename": "proc_creation_win_netsh_fw_add_susp_image.yml", - "level": "high", + "filename": "proc_creation_win_persistence_bitsadmin.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", - "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_bitsadmin.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1197" ] }, "related": [ { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", - "value": "Netsh Program Allowed with Suspcious Location" + "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "value": "Monitoring For Persistence Via BITS" }, { "description": "Detects activity mentioned in Operation Wocao report", @@ -40998,6 +45779,13 @@ ] }, "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "tags": [ @@ -41005,6 +45793,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ @@ -41024,93 +45819,121 @@ "value": "Operation Wocao Activity" }, { - "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "meta": { - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/21", + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", "falsepositive": [ - "Legitimate administrator or user enumerates local users for legitimate reason" + "Unlikely" ], - "filename": "proc_creation_win_local_system_owner_account_discovery.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "attack.t1087.001" - ] - }, - "related": [ - { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "502b42de-4306-40b4-9596-6f590c81f073", - "value": "Local Accounts Discovery" - }, - { - "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbins_by_office_applications.yml", + "filename": "proc_creation_win_malware_pingback_backdoor.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_pingback_backdoor.yml" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" + "attack.persistence", + "attack.t1574.001" ] }, "related": [ { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", - "value": "New Lolbin Process by Office Applications" + "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", + "value": "Pingback Backdoor Activity" + }, + { + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence" + ] + }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "value": "Logon Scripts (UserInitMprLogonScript)" + }, + { + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/08/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "value": "PowerShell DownloadFile" }, { "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", @@ -41125,9 +45948,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -41204,6 +46027,20 @@ ], "type": "related-to" }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -41215,32 +46052,6 @@ "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "value": "HTML Help Shell Spawn" }, - { - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "meta": { - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2019/10/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_service_path_modification.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", - "value": "Suspicious Service Path Modification" - }, { "description": "Files with well-known filenames (sensitive files with credential data) copying", "meta": { @@ -41254,9 +46065,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -41287,64 +46098,46 @@ "value": "Copying Sensitive Files with Credential Data" }, { - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2020/07/03", + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_curl_download.yml", + "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ] }, "related": [ { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", - "value": "Suspicious Curl Usage on Windows" - }, - { - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_format.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", - "https://twitter.com/wdormann/status/1478011052130459653?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "value": "Format.com FileSystem LOLBIN" + "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher" }, { "description": "Detects possible password spraying attempts using Dsacls", @@ -41379,7 +46172,7 @@ } ], "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", - "value": "Password Spraying Attempts Using Dsacls" + "value": "Potential Password Spraying Attempt Using Dsacls.EXE" }, { "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", @@ -41394,8 +46187,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -41433,48 +46226,28 @@ "value": "SQLite Chromium Profile Data DB Access" }, { - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/09/08", + "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", + "creation_date": "2017/06/12", "falsepositive": [ - "Unknown" + "Legitimate administrative tasks" ], - "filename": "proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml", - "level": "high", + "filename": "proc_creation_win_sysinternals_psexesvc.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://github.com/h3v0x/CVE-2021-26084_Confluence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" ], "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" + "attack.execution" ] }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", - "value": "Atlassian Confluence CVE-2021-26084" + "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "value": "PsExec Service Execution" }, { "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", @@ -41510,117 +46283,44 @@ "value": "Potential DLL Injection Or Execution Using Tracker.exe" }, { - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", + "description": "Detects suspicious child processes spawned by PowerShell", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2020/10/12", + "author": "Florian Roth (Nextron Systems), Tim Shelton", + "creation_date": "2022/04/26", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_wmic_proc_create.yml", + "filename": "proc_creation_win_powershell_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" + "https://twitter.com/ankit_anubhav/status/1518835408502620162", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml" ], - "tags": [ - "attack.execution", - "attack.t1047" - ] + "tags": "No established tags" }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", - "value": "Suspicious WMIC Execution - ProcessCallCreate" + "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "value": "Suspicious PowerShell Child Processes" }, { - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/28", - "falsepositive": [ - "Legitimate use of Nim on developer systems" - ], - "filename": "proc_creation_win_nimgrab.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", - "value": "File Downloaded Using Nimgrab" - }, - { - "description": "Detects the use of Advanced Port Scanner.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2021/12/18", - "falsepositive": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" - ], - "filename": "proc_creation_win_advanced_port_scanner.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" - ] - }, - "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", - "value": "Advanced Port Scanner" - }, - { - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", + "creation_date": "2022/03/12", "falsepositive": [ - "Cases in which procdump just gets copied to a different directory without any renaming" + "Unknown" ], - "filename": "proc_creation_win_procdump_evasion.yml", + "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1480785527901204481", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036", + "attack.credential_access", "attack.t1003.001" ] }, @@ -41633,64 +46333,55 @@ "type": "related-to" } ], - "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", - "value": "Procdump Evasion" + "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "value": "HackTool - CrackMapExec Process Patterns" }, { - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/07", + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "creation_date": "2019/01/29", "falsepositive": [ - "Unknown" + "Legitimate administration activity", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" ], - "filename": "proc_creation_win_mailboxexport_share.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" - ], - "tags": [ - "attack.exfiltration" - ] - }, - "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", - "value": "Suspicious PowerShell Mailbox Export to Share" - }, - { - "description": "Detects a when net.exe is called with a password in the command line", - "meta": { - "author": "Tim Shelton (HAWK.IO)", - "creation_date": "2021/12/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_net_use_password_plaintext.yml", + "filename": "proc_creation_win_netsh_port_forwarding.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], - "tags": "No established tags" + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] }, - "uuid": "d4498716-1d52-438f-8084-4a603157d131", - "value": "Password Provided In Command Line Of Net.exe" + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", + "value": "New Port Forwarding Rule Added Via Netsh.EXX" }, { - "description": "Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.", + "description": "Detects commandline flags that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", "meta": { "author": "Markus Neis", "creation_date": "2017/08/28", "falsepositive": [ "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" + "Programs that use the same commandline" ], "filename": "proc_creation_win_sysinternals_eula_accepted.yml", "level": "low", @@ -41715,7 +46406,7 @@ } ], "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", - "value": "Usage of Sysinternals Tools" + "value": "Potential Execution of Sysinternals Tools" }, { "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", @@ -41794,39 +46485,63 @@ "value": "UAC Bypass Using Disk Cleanup" }, { - "description": "dotnet.exe will execute any DLL and execute unsigned code", + "description": "Detect execution of suspicious double extension files in ParentCommandLine", "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2020/10/18", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/06", "falsepositive": [ - "System administrator Usage" + "Unknown" ], - "filename": "proc_creation_win_dotnet.yml", - "level": "medium", + "filename": "proc_creation_win_susp_double_extension_parent.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ - "attack.execution", - "attack.t1218" + "attack.defense_evasion", + "attack.t1036.007" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" + "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "value": "Suspicious Parent Double Extension File Execution" + }, + { + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/11/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "value": "UAC Bypass Using Event Viewer RecentViews" }, { "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", @@ -41850,11 +46565,20 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", "value": "Imports Registry Key From an ADS" }, { - "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", "meta": { "author": "Jason Lynch", "creation_date": "2019/04/02", @@ -41866,8 +46590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", - "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -41887,44 +46611,7 @@ } ], "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", - "value": "MS Office Product Spawning Exe in User Dir" - }, - { - "description": "Detects the creation of scheduled tasks in user session", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Administrative activity", - "Software installation" - ], - "filename": "proc_creation_win_susp_schtask_creation.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.005", - "attack.s0111", - "car.2013-08-001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", - "value": "Scheduled Task Creation" + "value": "Suspicious Binary In User Directory Spawned From Office Application" }, { "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", @@ -41948,91 +46635,17 @@ "attack.t1518" ] }, - "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", - "value": "Detected Windows Software Discovery" - }, - { - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/13", - "falsepositive": [ - "Legitimate uses of Mouse Lock software" - ], - "filename": "proc_creation_win_mouse_lock.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", - "https://sourceforge.net/projects/mouselock/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" - ], - "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" - ] - }, - "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", - "value": "Mouse Lock Credential Gathering" - }, - { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "value": "Wusa Extracting Cab Files From Suspicious Paths" - }, - { - "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", - "meta": { - "author": "frack113", - "creation_date": "2022/02/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_redirect_to_stream.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, "related": [ { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", - "value": "Cmd Stream Redirection" + "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "value": "Detected Windows Software Discovery" }, { "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", @@ -42067,6 +46680,47 @@ "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", "value": "Suspicious Office Token Search Via CLI" }, + { + "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", + "meta": { + "author": "@neu5ron", + "creation_date": "2019/02/07", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_bcdedit_susp_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.persistence", + "attack.t1542.003" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "value": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" + }, { "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", "meta": { @@ -42080,8 +46734,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -42101,29 +46755,6 @@ "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "value": "Suspicious WebDav Client Execution" }, - { - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "meta": { - "author": "frack113", - "creation_date": "2022/06/04", - "falsepositive": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" - ], - "filename": "proc_creation_win_susp_rundll32_user32_dll.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", - "value": "Suspicious Workstation Locking via Rundll32" - }, { "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", "meta": { @@ -42137,8 +46768,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" ], "tags": [ @@ -42158,6 +46789,75 @@ "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "value": "AnyDesk Silent Installation" }, + { + "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use by users" + ], + "filename": "proc_creation_win_dirlister_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "value": "DirLister Execution" + }, + { + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/02/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certutil_encode.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "value": "File Encoded To Base64 Via Certutil.EXE" + }, { "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", "meta": { @@ -42182,6 +46882,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", "value": "Tasks Folder Evasion" }, @@ -42198,7 +46907,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" ], "tags": [ @@ -42248,7 +46957,77 @@ ] }, "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "value": "Renamed Rundll32 Execution Via DllRegisterServer" + "value": "Potential Renamed Rundll32 Execution" + }, + { + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/06/25", + "falsepositive": [ + "Legitimate software creating script event consumers" + ], + "filename": "proc_creation_win_wmic_eventconsumer_creation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", + "value": "New ActiveScriptEventConsumer Created Via Wmic.EXE" + }, + { + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "meta": { + "author": "Teymur Kheirkhabarov", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "value": "Possible Privilege Escalation via Weak Service Permissions" }, { "description": "Detects commands that temporarily turn off Volume Snapshots", @@ -42271,6 +47050,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "value": "Disabled Volume Snapshots" }, @@ -42308,60 +47096,71 @@ "value": "Use of Mftrace.exe" }, { - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/27", + "creation_date": "2021/02/01", "falsepositive": [ - "Possible but rare" + "Unknown" ], - "filename": "proc_creation_win_susp_rundll32_no_params.yml", + "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml" + "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1112" ] }, "related": [ { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", - "value": "Suspicious Rundll32 Without Any CommandLine Params" + "uuid": "b0524451-19af-4efa-a46f-562a977f792e", + "value": "ShimCache Flush" }, { - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", "meta": { - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", - "creation_date": "2022/11/10", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/15", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_sysmon_exploitation.yml", + "filename": "proc_creation_win_hktl_sharpersist.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590052248260055041", - "https://twitter.com/filip_dragovic/status/1590104354727436290", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" + "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], - "tags": "No established tags" + "tags": [ + "attack.persistence", + "attack.t1053" + ] }, - "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "value": "Suspicious Sysmon as Execution Parent" + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "value": "HackTool - SharPersist Execution" }, { "description": "Detects a process memory dump performed by RdrLeakDiag.exe", @@ -42409,9 +47208,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", - "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -42455,6 +47254,13 @@ ] }, "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ @@ -42500,58 +47306,6 @@ "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "value": "Suspicious File Characteristics Due to Missing Fields" }, - { - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/05/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_crime_maze_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", - "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "value": "Maze Ransomware" - }, { "description": "Detects when a program changes the default file association of any extension to an executable", "meta": { @@ -42573,9 +47327,52 @@ "attack.t1546.001" ] }, + "related": [ + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", "value": "Change Default File Association To Executable" }, + { + "description": "Detects the use of 3proxy, a tiny free proxy server", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_pua_3proxy_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", + "value": "PUA - 3Proxy Execution" + }, { "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", "meta": { @@ -42589,10 +47386,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://twitter.com/ReaQta/status/1222548288731217921", - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -42613,57 +47410,22 @@ "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "value": "Bypass UAC via WSReset.exe" }, - { - "description": "Detects LockerGoga Ransomware command line.", - "meta": { - "author": "Vasiliy Burov, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_mal_lockergoga_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "related": [ - { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "74db3488-fd28-480a-95aa-b7af626de068", - "value": "LockerGoga Ransomware" - }, { "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/02", "falsepositive": [ - "Unknown" + "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "filename": "proc_creation_win_python_inline_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -42683,34 +47445,6 @@ "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", "value": "Python Inline Command Execution" }, - { - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/08/13", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "filename": "proc_creation_win_susp_whoami.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "value": "Whoami Execution" - }, { "description": "Detects a ping command that uses a hex encoded IP address", "meta": { @@ -42741,6 +47475,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", @@ -42782,25 +47523,85 @@ "value": "Schtasks Creation Or Modification With SYSTEM Privileges" }, { - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", - "creation_date": "2018/09/03", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_powershell_base64_encoded_cmd.yml", + "author": "X__Junior, Florian Roth", + "creation_date": "2022/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rar_susp_greedy_compression.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml" + "https://decoded.avast.io/martinchlumecky/png-steganography", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml" ], "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059" ] }, "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "value": "Suspicious Greedy Compression Using Rar.EXE" + }, + { + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -42809,8 +47610,92 @@ "type": "related-to" } ], - "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "value": "Suspicious Encoded PowerShell Command Line" + "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", + "value": "HackTool - CrackMapExec Execution Patterns" + }, + { + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "meta": { + "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "value": "Suspicious Whoami.EXE Execution From Privileged Process" + }, + { + "description": "Detects nltest commands that can be used for information discovery", + "meta": { + "author": "Arun Chauhan", + "creation_date": "2023/02/03", + "falsepositive": [ + "Legitimate administration activity" + ], + "filename": "proc_creation_win_nltest_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1018", + "attack.t1482" + ] + }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "903076ff-f442-475a-b667-4f246bcc203b", + "value": "Nltest.EXE Execution" }, { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", @@ -42911,6 +47796,15 @@ "attack.t1120" ] }, + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "value": "Fsutil Drive Enumeration" }, @@ -42920,7 +47814,8 @@ "author": "frack113", "creation_date": "2021/12/06", "falsepositive": [ - "Legitimate query of a service by an administrator to get more information such as the state or PID" + "Legitimate query of a service by an administrator to get more information such as the state or PID", + "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" ], "filename": "proc_creation_win_sc_query.yml", "level": "low", @@ -42935,6 +47830,15 @@ "attack.t1007" ] }, + "related": [ + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", "value": "SC.EXE Query Execution" }, @@ -42951,11 +47855,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://man.openbsd.org/ssh_config#ProxyCommand", "https://man.openbsd.org/ssh_config#LocalCommand", - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://gtfobins.github.io/gtfobins/ssh/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -42988,8 +47892,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" ], "tags": [ @@ -43086,37 +47990,85 @@ "value": "Anydesk Execution From Suspicious Folder" }, { - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "meta": { - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", - "creation_date": "2019/10/30", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/13", "falsepositive": [ - "Unknown" + "Unknown", + "Some cases in which the service spawned a werfault.exe process" ], - "filename": "proc_creation_win_run_powershell_script_from_ads.yml", + "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml" + "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://twitter.com/cyb3rops/status/1514217991034097664", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", + "https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" ] }, "related": [ { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "value": "Run PowerShell Script from ADS" + "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "value": "Potential CVE-2022-26809 Exploitation Attempt" + }, + { + "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/11", + "falsepositive": [ + "Other tools with the same command line flag combination", + "Legitimate uses as part of Visual Studio development" + ], + "filename": "proc_creation_win_lolbin_pressaynkey.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1463526834918854661", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pressaynkey.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "value": "NodejsTools PressAnyKey Lolbin" }, { "description": "Shadow Copies deletion using operating systems utilities", @@ -43132,15 +48084,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine#the-process", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/Neo23x0/Raccine#the-process", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -43151,6 +48103,13 @@ ] }, "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ @@ -43162,6 +48121,148 @@ "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "value": "Shadow Copies Deletion Using Operating Systems Utilities" }, + { + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/11/18", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "proc_creation_win_secedit_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", + "attack.privilege_escalation", + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", + "value": "Potential Suspicious Activity Using SeCEdit" + }, { "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "meta": { @@ -43175,8 +48276,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], @@ -43201,8 +48302,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -43231,87 +48332,10 @@ } ], "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", - "value": "Bitsadmin Download" + "value": "File Download Via Bitsadmin" }, { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "meta": { - "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Highly likely if rar is a default archiver in the monitored environment." - ], - "filename": "proc_creation_win_data_compressed_with_rar.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", - "value": "Data Compressed - rar.exe" - }, - { - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "meta": { - "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali", - "creation_date": "2022/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sharp_impersonation_tool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" - ] - }, - "related": [ - { - "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", - "value": "SharpImpersonation Execution" - }, - { - "description": "Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility", + "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022/08/01", @@ -43331,41 +48355,17 @@ "attack.defense_evasion" ] }, - "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", - "value": "Imports Registry Key From a File Using Reg.exe" - }, - { - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/10", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_get_localgroup_member_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ] - }, "related": [ { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", - "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" + "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", + "value": "Potential Suspicious Registry File Imported Via Reg.EXE" }, { "description": "Detects suspicious command line arguments of common data compression tools", @@ -43400,43 +48400,6 @@ "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "value": "Suspicious Compression Tool Parameters" }, - { - "description": "Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_manage_bde_lolbas.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bohops/status/980659399495741441", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "related": [ - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "value": "Suspicious Usage of the Manage-bde.wsf Script" - }, { "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "meta": { @@ -43470,40 +48433,6 @@ "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "value": "Use of VSIISExeLauncher.exe" }, - { - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "meta": { - "author": "frack113", - "creation_date": "2023/01/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_double_ext_parent.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.007" - ] - }, - "related": [ - { - "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", - "value": "Suspicious Double File Extention in ParentCommandLine" - }, { "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { @@ -43581,6 +48510,76 @@ "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, + { + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_regedit_trustedinstaller.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", + "value": "Regedit as Trusted Installer" + }, + { + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certutil_download_direct_ip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", + "value": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" + }, { "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", "meta": { @@ -43638,6 +48637,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -43715,6 +48721,40 @@ "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", "value": "Suspicious Service Binary Directory" }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_reg_modify_group_policy_settings.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" + ] + }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", + "value": "Modify Group Policy Settings" + }, { "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", "meta": { @@ -43736,33 +48776,20 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", - "value": "Renamed or Portable Vmnat.exe" + "value": "Renamed Vmnat.exe Execution" }, { - "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_cube0x0_tools.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", - "https://github.com/cube0x0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" - ], - "tags": "No established tags" - }, - "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", - "value": "Hacktool by Cube0x0" - }, - { - "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", + "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/11/26", @@ -43808,10 +48835,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -43822,6 +48849,13 @@ ] }, "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -43834,72 +48868,73 @@ "value": "Suspicious Csi.exe Usage" }, { - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/01/16", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/14", "falsepositive": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" + "Unlikely" ], - "filename": "proc_creation_win_susp_powershell_script_engine_parent_.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "value": "Suspicious PowerShell Invocation From Script Engines" - }, - { - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/11/18", - "falsepositive": [ - "Procdump illegaly bundled with legitimate software", - "Administrators who rename binaries (should be investigated)" - ], - "filename": "proc_creation_win_renamed_procdump.yml", + "filename": "proc_creation_win_hktl_localpotato.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" + "https://www.localpotato.com/localpotato_html/LocalPotato.html", + "https://github.com/decoder-it/LocalPotato", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.privilege_escalation", + "cve.2023.21746" + ] + }, + "uuid": "6bd75993-9888-4f91-9404-e1e4e4e34b77", + "value": "HackTool - LocalPotato Execution" + }, + { + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "meta": { + "author": "Sai Prashanth Pulisetti @pulisettis", + "creation_date": "2022/12/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_impersonate.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" ] }, "related": [ { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "value": "Renamed ProcDump Execution" + "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", + "value": "HackTool - Impersonate Execution" }, { "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", @@ -43914,8 +48949,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -43968,75 +49003,6 @@ "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "value": "Use of Pcalua For Execution" }, - { - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2022/01/24", - "falsepositive": [ - "Legitimate use by administrators" - ], - "filename": "proc_creation_win_tool_nircmd.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "related": [ - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", - "value": "NirCmd Tool Execution" - }, - { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/24", - "falsepositive": [ - "Scripts or tools that download files and execute them" - ], - "filename": "proc_creation_win_susp_powershell_download_iex.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "value": "PowerShell Web Download and Execution" - }, { "description": "Use of hostname to get information", "meta": { @@ -44050,8 +49016,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -44059,9 +49025,51 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", "value": "Suspicious Execution of Hostname" }, + { + "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uninstall_sysinternals_sysmon.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysinternals_sysmon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "value": "Uninstall Sysinternals Sysmon" + }, { "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", "meta": { @@ -44075,10 +49083,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -44132,6 +49140,15 @@ "attack.t1574.008" ] }, + "related": [ + { + "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "value": "Using SettingSyncHost.exe as LOLBin" }, @@ -44157,57 +49174,6 @@ "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "value": "Suspicious Process Parents" }, - { - "description": "Detect various execution methods of the CrackMapExec pentesting framework", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2020/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_crackmapexec_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", - "value": "CrackMapExec Command Execution" - }, { "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", "meta": { @@ -44222,9 +49188,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -44232,45 +49198,17 @@ "attack.t1562.001" ] }, - "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", - "value": "Powershell Defender Exclusion" - }, - { - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/10/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" - ], - "filename": "proc_creation_win_susp_rundll32_by_ordinal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/DLLRunner", - "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "value": "Suspicious Call by Ordinal" + "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", + "value": "Powershell Defender Exclusion" }, { "description": "Detects EmpireMonkey APT reported Activity", @@ -44305,6 +49243,47 @@ "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", "value": "Empire Monkey" }, + { + "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_rdrleakdiag.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rdrleakdiag.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6355a919-2e97-4285-a673-74645566340d", + "value": "Process Memory Dumped Via RdrLeakDiag.EXE" + }, { "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", "meta": { @@ -44386,7 +49365,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" @@ -44406,7 +49385,7 @@ } ], "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", - "value": "Suspicious Msiexec Load DLL" + "value": "DllUnregisterServer Function Call Via Msiexec.EXE" }, { "description": "Detects execution of powershell scripts via Runscripthelper.exe", @@ -44483,65 +49462,6 @@ "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "value": "CL_Mutexverifiers.ps1 Proxy Execution" }, - { - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_devinit_lolbin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "90d50722-0483-4065-8e35-57efaadd354d", - "value": "DevInit Lolbin Download" - }, - { - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "meta": { - "author": "frack113", - "creation_date": "2021/07/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_remove_windows_defender_definition_files.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "value": "Remove Windows Defender Definition Files" - }, { "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", "meta": { @@ -44576,6 +49496,61 @@ "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", "value": "Suspicious RazerInstaller Explorer Subprocess" }, + { + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://ss64.com/vb/cscript.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", + "value": "Suspicious Registration via cscript.exe" + }, + { + "description": "Detects a when net.exe is called with a password in the command line", + "meta": { + "author": "Tim Shelton (HAWK.IO)", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_net_use_password_plaintext.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml" + ], + "tags": "No established tags" + }, + "uuid": "d4498716-1d52-438f-8084-4a603157d131", + "value": "Password Provided In Command Line Of Net.EXE" + }, { "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "meta": { @@ -44645,9 +49620,9 @@ "value": "APT29" }, { - "description": "Detects typical Dridex process patterns", + "description": "Detects potential Dridex acitvity via specific process patterns", "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community", + "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/01/10", "falsepositive": [ "Unlikely" @@ -44657,6 +49632,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/threat-detection-report/threats/dridex/", "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dridex.yml" ], @@ -44669,41 +49645,64 @@ "attack.t1033" ] }, - "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "value": "Dridex Process Pattern" - }, - { - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_reg_dump_sam.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, "related": [ { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", - "value": "Registry Dump of SAM Creds and Secrets" + "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "value": "Potential Dridex Activity" + }, + { + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "meta": { + "author": "Sreeman, Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browser_chromium_headless_file_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_chromium_headless_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "value": "File Download with Headless Browser" }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", @@ -44726,8 +49725,17 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", - "value": "Delete Services Via Reg Utility" + "value": "Service Registry Key Deleted Via Reg.EXE" }, { "description": "Detects CrackMapExecWin Activity as Described by NCSC", @@ -44742,8 +49750,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "https://attack.mitre.org/software/S0488/", + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" ], "tags": [ @@ -44754,34 +49762,25 @@ "attack.t1087" ] }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", "value": "CrackMapExecWin" }, - { - "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_dllhost_no_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://redcanary.com/blog/child-processes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ] - }, - "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "value": "Dllhost Process With No CommandLine" - }, { "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "meta": { @@ -44795,8 +49794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], @@ -44822,8 +49821,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -44856,8 +49855,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" @@ -44901,9 +49900,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], @@ -44925,67 +49924,27 @@ "value": "Rclone Execution via Command Line or PowerShell" }, { - "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "meta": { - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", - "creation_date": "2021/08/09", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/30", "falsepositive": [ - "Some rare backup scenarios" + "Unknown" ], - "filename": "proc_creation_win_susp_cmd_shadowcopy_access.yml", + "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" + "https://github.com/p0dalirius/LDAPmonitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml" ], "tags": [ - "attack.impact", - "attack.t1490" + "attack.discovery" ] }, - "related": [ - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "value": "Copy from Volume Shadow Copy" - }, - { - "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis", - "creation_date": "2018/08/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_builtin_commands_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "https://twitter.com/c_APT_ure/status/939475433711722497", - "https://twitter.com/haroonmeer/status/939099379834658817", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ] - }, - "uuid": "2887e914-ce96-435f-8105-593937e90757", - "value": "Reconnaissance Activity Using BuiltIn Commands" + "uuid": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", + "value": "HackTool - SharpLDAPmonitor Execution" }, { "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", @@ -45008,9 +49967,58 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", "value": "DLL Sideloading by VMware Xfer Utility" }, + { + "description": "Detects suspicious command lines used in Covenant luanchers", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/06/04", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_hktl_covenant.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1564.003" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "value": "HackTool - Covenant PowerShell Launcher" + }, { "description": "Detects wscript/cscript executions of scripts located in user directories", "meta": { @@ -45142,6 +50150,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -45161,111 +50176,7 @@ "value": "Base64 Encoded PowerShell Command Detected" }, { - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_proc_dump_rdrleakdiag.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6355a919-2e97-4285-a673-74645566340d", - "value": "RdrLeakDiag Process Dump" - }, - { - "description": "Detects a Windows command line executable started from MSHTA", - "meta": { - "author": "Michael Haag", - "creation_date": "2019/01/16", - "falsepositive": [ - "Printer software / driver installations", - "HP software" - ], - "filename": "proc_creation_win_mshta_spawn_shell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/july-2015/malicious-htas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" - ] - }, - "related": [ - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", - "value": "MSHTA Spawning Windows Shell" - }, - { - "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cipher.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cipher.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "related": [ - { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4b046706-5789-4673-b111-66f25fe99534", - "value": "Overwrite Deleted Data with Cipher" - }, - { - "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", + "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/16", @@ -45286,13 +50197,57 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "value": "Use of Sysinternals PsService" + "value": "Sysinternals PsService Execution" + }, + { + "description": "Detects the addition of a new rule to the Windows firewall via netsh", + "meta": { + "author": "Markus Neis, Sander Wiebing", + "creation_date": "2019/01/29", + "falsepositive": [ + "Legitimate administration activity", + "Software installations and removal" + ], + "filename": "proc_creation_win_netsh_fw_add_rule.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "value": "New Firewall Rule Added Via Netsh.EXE" }, { "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/12/27", "falsepositive": [ "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" @@ -45302,8 +50257,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -45324,8 +50279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" ], "tags": [ @@ -45335,6 +50290,42 @@ "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", "value": "Persistence Via TypedPaths - CommandLine" }, + { + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/11/23", + "falsepositive": [ + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + ], + "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" + }, { "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", "meta": { @@ -45369,7 +50360,7 @@ "value": "UNC2452 Process Creation Patterns" }, { - "description": "Detects reg command lines that disable certain important features of Microsoft Defender", + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/22", @@ -45381,8 +50372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -45390,33 +50381,52 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", - "value": "Registry Defender Tampering" + "value": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, { - "description": "Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.", + "description": "Detects PowerShell script execution via input stream redirect", "meta": { - "author": "Sreeman", - "creation_date": "2020/09/29", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "creation_date": "2020/10/17", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_modif_of_services_for_via_commandline.yml", - "level": "medium", + "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml" + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ] }, - "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", - "value": "Modification Of Existing Services For Persistence" + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "value": "Run PowerShell Script from Redirected Input Stream" }, { "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", @@ -45431,8 +50441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -45454,41 +50464,72 @@ "value": "Lolbin Defaultpack.exe Use As Proxy" }, { - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/08/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/23", "falsepositive": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + "Other legitimate network providers used and not filtred in this rule" ], - "filename": "proc_creation_win_susp_csc_folder.yml", - "level": "medium", + "filename": "proc_creation_win_reg_new_network_provider.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_new_network_provider.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027.004" + "attack.credential_access", + "attack.t1003" ] }, "related": [ { - "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", - "value": "Suspicious Csc.exe Source File Folder" + "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "value": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" + }, + { + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/09", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_powershell_susp_ps_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "value": "PowerShell Script Run in AppData" }, { "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", @@ -45524,38 +50565,37 @@ "value": "Suspicious Execution of InstallUtil To Download" }, { - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/24", + "creation_date": "2023/02/21", "falsepositive": [ - "Very unlikely" + "Unknown" ], - "filename": "proc_creation_win_hack_inveigh.yml", - "level": "critical", + "filename": "proc_creation_win_net_use_mount_internet_share.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.lateral_movement", + "attack.t1021.002" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "value": "Inveigh Hack Tool" + "uuid": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", + "value": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, { "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", @@ -45570,8 +50610,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -45600,6 +50640,40 @@ "uuid": "18739897-21b1-41da-8ee4-5b786915a676", "value": "GALLIUM Artefacts" }, + { + "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", + "meta": { + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "creation_date": "2022/05/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "value": "HackTool - Jlaive In-Memory Assembly Execution" + }, { "description": "Detects suspicious and uncommon child processes of WmiPrvSE", "meta": { @@ -45613,9 +50687,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -45686,6 +50760,42 @@ "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", "value": "MERCURY Command Line Patterns" }, + { + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ] + }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", + "value": "Enumeration for 3rd Party Creds From CLI" + }, { "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "meta": { @@ -45720,107 +50830,84 @@ "value": "Suspicious Diantz Alternate Data Stream Execution" }, { - "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", "meta": { - "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", - "creation_date": "2022/02/28", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/14", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_outlook_shell.yml", + "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml" ], "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", - "value": "Microsoft Outlook Product Spawning Windows Shell" + "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "value": "Rundll32 JS RunHTMLApplication Pattern" }, { - "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", + "description": "Detects the execution GMER tool based on image and hash fields.", "meta": { - "author": "Christian Burkard (Nextron Systems), Florian Roth", - "creation_date": "2021/08/30", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/05", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_hktl_uacme_uac_bypass.yml", + "filename": "proc_creation_win_hktl_gmer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" + "http://www.gmer.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "value": "HackTool - GMER Rootkit Detector and Remover Execution" + }, + { + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "meta": { + "author": "elhoim", + "creation_date": "2022/05/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regsvr32_spawn_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1218.010" ] }, "related": [ { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", - "value": "UAC Bypass Tool UACMe Akagi" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_clip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher" + "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "value": "Regsvr32 Spawning Explorer" }, { "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", @@ -45855,6 +50942,41 @@ "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", "value": "Suspicious Execution of Taskkill" }, + { + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", + "value": "Direct Autorun Keys Modification" + }, { "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "meta": { @@ -45876,41 +50998,17 @@ "attack.t1562.001" ] }, - "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", - "value": "Raccine Uninstall" - }, - { - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_handlekatz.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_handlekatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", - "value": "HandleKatz LSASS Dumper Usage" + "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "value": "Raccine Uninstall" }, { "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", @@ -45956,57 +51054,58 @@ "value": "SQLite Firefox Profile Data DB Access" }, { - "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", "meta": { - "author": "Florian Roth (Nextron Systems), juju4, keepwatch", - "creation_date": "2019/01/16", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", + "creation_date": "2019/10/22", "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], - "filename": "proc_creation_win_susp_certutil_command.yml", + "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/egre55/status/1087685529016193025", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.command_and_control", - "attack.t1105", - "attack.s0160", - "attack.g0007", - "attack.g0010", - "attack.g0045", - "attack.g0049", - "attack.g0075", - "attack.g0096" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" ] }, "related": [ { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", - "value": "Suspicious Certutil Command Usage" + "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "value": "Dumping of Sensitive Hives Via Reg.EXE" }, { "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", @@ -46032,73 +51131,6 @@ "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "value": "Suspicious SYSTEM User Process Creation" }, - { - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "meta": { - "author": "X__Junior, Florian Roth", - "creation_date": "2022/12/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_rar_susp_greedy.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", - "value": "RAR Greedy Compression" - }, - { - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/31", - "falsepositive": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" - ], - "filename": "proc_creation_win_susp_schtasks_schedule_type_system.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", - "value": "Suspicious Schtasks Schedule Type With High Privileges" - }, { "description": "Detects new commands that add new printer port which point to suspicious file", "meta": { @@ -46133,6 +51165,97 @@ "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, + { + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "meta": { + "author": "frack113", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_alternate_data_streams.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "value": "Execute From Alternate Data Streams" + }, + { + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "meta": { + "author": "Ivan Dyachkov, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + ], + "filename": "proc_creation_win_lolbin_diskshadow.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "value": "Execution via Diskshadow.exe" + }, + { + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_format.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://twitter.com/0gtweet/status/1477925112561209344", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "value": "Format.com FileSystem LOLBIN" + }, { "description": "Detect the use of Windows Defender to download payloads", "meta": { @@ -46177,40 +51300,118 @@ "value": "Windows Defender Download Activity" }, { - "description": "Detects some Empire PowerShell UAC bypass methods", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", "meta": { - "author": "Ecco", - "creation_date": "2019/08/30", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", + "creation_date": "2019/09/03", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_powershell_empire_uac_bypass.yml", - "level": "critical", + "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" ] }, "related": [ { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", - "value": "Empire PowerShell UAC Bypass" + "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", + "value": "HackTool - Potential Impacket Lateral Movement Activity" + }, + { + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "meta": { + "author": "Eli Salem, Sander Wiebing, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate modification of keys" + ], + "filename": "proc_creation_win_regini_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", + "value": "Registry Modification Via Regini.EXE" + }, + { + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_persistence_windows_telemetry.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_windows_telemetry.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", + "value": "Potential Persistence Via Microsoft Compatibility Appraiser" }, { "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", @@ -46248,7 +51449,7 @@ { "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -46259,8 +51460,8 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], @@ -46289,32 +51490,7 @@ } ], "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", - "value": "Bitsadmin Download to Uncommon Target Folder" - }, - { - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/05", - "falsepositive": [ - "Administrative activity (rare lookups on current privileges)" - ], - "filename": "proc_creation_win_whoami_priv.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", - "value": "Run Whoami Showing Privileges" + "value": "File Download Via Bitsadmin To An Uncommon Target Folder" }, { "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", @@ -46337,6 +51513,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", "value": "Suspicious Network Command" }, @@ -46353,8 +51538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1168863899531132929", "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://twitter.com/cyb3rops/status/1168863899531132929", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" ], "tags": [ @@ -46362,6 +51547,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", "value": "Emissary Panda Malware SLLauncher" }, @@ -46389,6 +51583,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", "value": "Powershell Defender Disable Scan Feature" }, @@ -46427,40 +51630,42 @@ "value": "Use of Scriptrunner.exe" }, { - "description": "Detects the Installation of a Exchange Transport Agent", + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "meta": { - "author": "Tobias Michalski (Nextron Systems)", - "creation_date": "2021/06/08", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/14", "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Legitimate usage to restore snapshots", + "Legitimate admin activity" ], - "filename": "proc_creation_win_msexchange_transport_agent.yml", + "filename": "proc_creation_win_ntdsutil_susp_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml" + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ - "attack.persistence", - "attack.t1505.002" + "attack.credential_access", + "attack.t1003.003" ] }, "related": [ { - "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", - "value": "MSExchange Transport Agent Installation" + "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", + "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { - "description": "Detects usage of cmdkey to look for cached credentials", + "description": "Detects usage of cmdkey to look for cached credentials on the system", "meta": { "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/01/16", @@ -46472,8 +51677,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -46491,12 +51696,12 @@ } ], "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "value": "Cmdkey Cached Credentials Recon" + "value": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" }, { "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "author": "Vadim Khrykov, Cyb3rEng", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" @@ -46542,12 +51747,12 @@ } ], "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", - "value": "Suspicious WMI Execution Via Office Process" + "value": "Suspicious WMIC Execution Via Office Process" }, { "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/28", "falsepositive": [ "Unknown" @@ -46558,8 +51763,8 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], @@ -46588,7 +51793,83 @@ } ], "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "value": "Bitsadmin Download to Suspicious Target Folder" + "value": "File Download Via Bitsadmin To A Suspicious Target Folder" + }, + { + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/02/09", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_msiexec_web_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "value": "MsiExec Web Install" + }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "filename": "proc_creation_win_powershell_script_engine_parent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation From Script Engines" }, { "description": "Detects when a user downloads file by using CertOC.exe", @@ -46623,44 +51904,6 @@ "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", "value": "Suspicious File Download via CertOC.exe" }, - { - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/24", - "falsepositive": [ - "Legitimate files with these rare hacktool names" - ], - "filename": "proc_creation_win_tools_relay_attacks.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/ohpe/juicy-potato", - "https://www.localpotato.com/", - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ] - }, - "related": [ - { - "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", - "value": "SMB Relay Attack Tools" - }, { "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", "meta": { @@ -46695,202 +51938,6 @@ "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", "value": "Defrag Deactivation" }, - { - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2021/07/21", - "falsepositive": [ - "Legitimate ncat use" - ], - "filename": "proc_creation_win_netcat_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://nmap.org/ncat/", - "https://www.revshells.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1095" - ] - }, - "related": [ - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "value": "Netcat Suspicious Execution" - }, - { - "description": "Detects the use of SDelete to erase a file not the free space", - "meta": { - "author": "frack113", - "creation_date": "2021/06/03", - "falsepositive": [ - "System administrator usage" - ], - "filename": "proc_creation_win_sdelete.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "related": [ - { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a4824fca-976f-4964-b334-0621379e84c4", - "value": "Sysinternals SDelete Delete File" - }, - { - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "meta": { - "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/03/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_etw_trace_evasion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" - ] - }, - "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "value": "Disable of ETW Trace" - }, - { - "description": "Detects suspicious powershell command line parameters used in Empire", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/04/20", - "falsepositive": [ - "Other tools that incidentally use the same command line parameters" - ], - "filename": "proc_creation_win_susp_powershell_empire_launch.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "value": "Empire PowerShell Launch Parameters" - }, - { - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "meta": { - "author": "frack113", - "creation_date": "2021/12/27", - "falsepositive": [ - "Tools that accidentally use the same command line flags and values" - ], - "filename": "proc_creation_win_hashcat.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", - "https://hashcat.net/wiki/doku.php?id=hashcat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110.002" - ] - }, - "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", - "value": "Password Cracking with Hashcat" - }, - { - "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2021/12/18", - "falsepositive": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" - ], - "filename": "proc_creation_win_susp_psloglist.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" - ] - }, - "related": [ - { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", - "value": "Suspicious Use of PsLogList" - }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "meta": { @@ -46905,8 +51952,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -46959,6 +52006,42 @@ "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", "value": "Use of UltraViewer Remote Access Software" }, + { + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_netsh_helper_dll_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" + ] + }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "56321594-9087-49d9-bf10-524fe8479452", + "value": "Potential Persistence Via Netsh Helper DLL" + }, { "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", "meta": { @@ -47000,15 +52083,15 @@ "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_bitsadmin_download_susp_ext.yml", + "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ "attack.defense_evasion", @@ -47035,132 +52118,41 @@ } ], "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", - "value": "Bitsadmin Download File with Suspicious Extension" + "value": "File With Suspicious Extension Downloaded Via Bitsadmin" }, { - "description": "Detects usage of wmic to start or stop a service", + "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/20", + "author": "Markus Neis, keepwatch", + "creation_date": "2018/11/14", "falsepositive": [ - "Unknown" + "Administration activity" ], - "filename": "proc_creation_win_wmic_service.yml", + "filename": "proc_creation_win_setspn_spn_enumeration.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service.yml" + "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" ], "tags": [ - "attack.execution", - "attack.t1047" + "attack.credential_access", + "attack.t1558.003" ] }, "related": [ { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", - "value": "WMIC Service Start/Stop" - }, - { - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_invoke_webrequest_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", - "value": "Suspicious Invoke-WebRequest Usage" - }, - { - "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", - "meta": { - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T (Nextron Systems)", - "creation_date": "2022/02/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_reg_enable_rdp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" - ] - }, - "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", - "value": "Enabling RDP Service via Reg.exe" - }, - { - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "meta": { - "author": "frack113", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_netsh_fw_delete.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "related": [ - { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", - "value": "Netsh Firewall Rule Deletion" + "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "value": "Potential SPN Enumeration Via Setspn.EXE" }, { "description": "Detects suspicious process that use escape characters", @@ -47176,10 +52168,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "https://twitter.com/Hexacorn/status/885553465417756673", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -47256,29 +52248,6 @@ "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", "value": "Execution Of Non-Existing File" }, - { - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/10/10", - "falsepositive": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "filename": "proc_creation_win_susp_process_hacker.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/winsiderss/systeminformer", - "https://processhacker.sourceforge.io/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" - ], - "tags": "No established tags" - }, - "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", - "value": "Process Hacker / System Informer Usage" - }, { "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "meta": { @@ -47292,8 +52261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -47301,6 +52270,15 @@ "attack.t1574.011" ] }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "value": "Potential Privilege Escalation via Service Permissions Weakness" }, @@ -47337,29 +52315,6 @@ "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "value": "New User Created Via Net.EXE With Never Expire Option" }, - { - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_rundll32_js_runhtmlapplication.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", - "value": "Rundll32 JS RunHTMLApplication Pattern" - }, { "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", "meta": { @@ -47373,8 +52328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -47395,34 +52350,10 @@ "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", "value": "Monitoring Winget For LOLbin Execution" }, - { - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_krbrelay.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/cube0x0/KrbRelay", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", - "value": "KrbRelay Hack Tool" - }, { "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "creation_date": "2022/06/21", "falsepositive": [ "Legitimate usage of \".diagcab\" files" @@ -47432,6 +52363,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], @@ -47450,149 +52384,145 @@ } ], "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "value": "MSDT.EXE Execution With Suspicious Cab Option" + "value": "Suspicious Cabinet File Execution Via Msdt.EXE" }, { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", "meta": { - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2017/11/10", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_mal_adwind.yml", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "creation_date": "2023/01/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" + "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw", + "https://twitter.com/hackerfantastic/status/1616455335203438592?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_win_server_undocumented_rce.yml" + ], + "tags": "No established tags" + }, + "uuid": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "value": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE" + }, + { + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_hermetic_wiper_activity.yml" ], "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.lateral_movement", + "attack.t1021.001" ] }, "related": [ { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", + "value": "Hermetic Wiper TG Process Patterns" + }, + { + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "meta": { + "author": "Vasiliy Burov", + "creation_date": "2020/10/05", + "falsepositive": [ + "Software that uses the caret encased keywords PASS and USER in its command line" + ], + "filename": "proc_creation_win_hktl_hydra.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/vanhauser-thc/thc-hydra", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "value": "Adwind RAT / JRAT" + "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", + "value": "HackTool - Hydra Password Bruteforce Execution" }, { - "description": "Detects the use of Windows Credential Editor (WCE)", + "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/12/31", - "falsepositive": [ - "Another service that uses a single -s command line switch" - ], - "filename": "proc_creation_win_hack_wce.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ampliasecurity.com/research/windows-credentials-editor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", - "value": "Windows Credential Editor" - }, - { - "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.", - "meta": { - "author": "Furkan Caliskan (@caliskanfurkan_)", - "creation_date": "2020/07/04", - "falsepositive": [ - "Legitimate admin usage" - ], - "filename": "proc_creation_win_susp_ditsnap.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/yosqueoy/ditsnap", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", - "value": "DIT Snapshot Viewer Use" - }, - { - "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/20", + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_wmic_hotfix_enum.yml", + "filename": "proc_creation_win_reg_query_registry.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml" ], "tags": [ - "attack.execution", - "attack.t1047" + "attack.discovery", + "attack.t1012", + "attack.t1007" ] }, "related": [ { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", - "value": "WMIC Hotfix Recon" + "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "value": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, { "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", @@ -47607,8 +52537,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.htmll", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/ps/foreach-object.htmll", "https://ss64.com/nt/for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -47626,6 +52556,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", @@ -47665,8 +52602,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" ], "tags": [ @@ -47687,72 +52624,105 @@ "value": "Suspicious Stop Windows Service" }, { - "description": "Detect use of TruffleSnout.exe", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { - "author": "frack113", - "creation_date": "2022/08/20", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/02/04", "falsepositive": [ - "Legitimate use" + "Very unlikely" ], - "filename": "proc_creation_win_trufflesnout.yml", - "level": "medium", + "filename": "proc_creation_win_hktl_dumpert.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ - "attack.discovery", - "attack.t1482" + "attack.credential_access", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "value": "Launch TruffleSnout Executable" + "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "value": "HackTool - Dumpert Process Dumper Execution" }, { - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/08", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/05", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_wmic_computersystem_recon.yml", - "level": "medium", + "filename": "proc_creation_win_whoami_priv_discovery.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml" ], "tags": [ + "attack.privilege_escalation", "attack.discovery", - "attack.execution", - "attack.t1047" + "attack.t1033" ] }, "related": [ { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", - "value": "Suspicious Get ComputerSystem Information with WMIC" + "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "value": "Security Privileges Enumeration Via Whoami.EXE" + }, + { + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_open_command.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "value": "Suspicious Reg Add Open Command" }, { "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", @@ -47812,8 +52782,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -47874,6 +52844,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -47886,31 +52863,62 @@ "value": "Abusing Findstr for Defense Evasion" }, { - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/11/29", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/25", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_powertool_execution.yml", + "filename": "proc_creation_win_hktl_crackmapexec_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" + ], + "tags": "No established tags" + }, + "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "value": "HackTool - CrackMapExec Execution" + }, + { + "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Highly likely if rar is a default archiver in the monitored environment." + ], + "filename": "proc_creation_win_rar_compress_data.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.collection", + "attack.t1560.001" ] }, - "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", - "value": "PowerTool Execution" + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "value": "Files Added To An Archive Using Rar.EXE" }, { "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", @@ -47937,6 +52945,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ @@ -47953,7 +52968,7 @@ } ], "uuid": "5bb68627-3198-40ca-b458-49f973db8752", - "value": "Rundll32 Without Parameters" + "value": "Rundll32 Execution Without Parameters" }, { "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", @@ -47961,7 +52976,7 @@ "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", "creation_date": "2020/10/05", "falsepositive": [ - "Automation and orchestration scripts may use this method execute scripts etc", + "Automation and orchestration scripts may use this method to execute scripts etc.", "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" ], "filename": "proc_creation_win_lolbin_susp_wsl.yml", @@ -47999,6 +53014,57 @@ "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "Arbitrary Command Execution Using WSL" }, + { + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "High" + ], + "filename": "proc_creation_win_cmd_http_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "value": "Command Line Execution with Suspicious URL and AppData Strings" + }, { "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", "meta": { @@ -48021,27 +53087,95 @@ "value": "Suspicious IIS Module Registration" }, { - "description": "Adversaries may interact with the Windows Registry to gather information about credentials, the system, configuration, and installed software.", + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_query_registry.yml", - "level": "low", + "author": "Furkan Caliskan (@caliskanfurkan_)", + "creation_date": "2020/07/04", + "falsepositive": [ + "Legitimate admin usage" + ], + "filename": "proc_creation_win_pua_ditsnap.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_registry.yml" + "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" + "attack.credential_access", + "attack.t1003.003" ] }, - "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", - "value": "Query Registry" + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", + "value": "PUA - DIT Snapshot Viewer" + }, + { + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "value": "Renamed PsExec Service Execution" + }, + { + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "meta": { + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "creation_date": "2021/02/02", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_auditpol_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", + "value": "Audit Policy Tampering Via Auditpol" }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", @@ -48143,53 +53277,72 @@ "value": "Powershell Token Obfuscation - Process Creation" }, { - "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", + "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/13", + "author": "frack113", + "creation_date": "2022/01/22", "falsepositive": [ - "Legitimate usage of office automation via scripting" + "Unknown" ], - "filename": "proc_creation_win_office_svchost_child.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/med0x2e/vba2clr", - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion" - ] - }, - "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", - "value": "Svchost Spawning Office Application" - }, - { - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "meta": { - "author": "Nasreddine Bencherchali @nas_bench", - "creation_date": "2021/12/18", - "falsepositive": [ - "Legitimate administrative use (Should be investigated either way)" - ], - "filename": "proc_creation_win_cleanwipe.yml", + "filename": "proc_creation_win_pua_radmin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cleanwipe.yml" + "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ] + }, + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "value": "PUA - Radmin Viewer Utility Execution" + }, + { + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_disable_firewall.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1562" ] }, - "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", - "value": "CleanWipe Usage" + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "value": "Windows Firewall Disabled via PowerShell" }, { "description": "The Devtoolslauncher.exe executes other binary", @@ -48248,6 +53401,13 @@ ] }, "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ @@ -48260,30 +53420,26 @@ "value": "Judgement Panda Credential Access Activity" }, { - "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "meta": { - "author": "Eli Salem, Sander Wiebing, oscd.community", - "creation_date": "2020/10/08", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/28", "falsepositive": [ - "Legitimate modification of keys" + "Unknown" ], - "filename": "proc_creation_win_regini.yml", - "level": "low", + "filename": "proc_creation_win_dtrace_kernel_dump.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ] + "tags": "No established tags" }, - "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", - "value": "Modifies the Registry From a File" + "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "value": "Suspicious Kernel Dump Using Dtrace" }, { "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", @@ -48321,7 +53477,7 @@ { "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", "meta": { - "author": "Florian Roth (Nextron Systems), @blu3_team (idea)", + "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/06/26", "falsepositive": [ "Unknown" @@ -48331,8 +53487,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -48340,8 +53496,17 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "value": "Suspicious Double Extension" + "value": "Suspicious Double Extension File Execution" }, { "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", @@ -48397,29 +53562,148 @@ "value": "Exploited CVE-2020-10189 Zoho ManageEngine" }, { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/09", + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/07", "falsepositive": [ - "Unlikely" + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], - "filename": "proc_creation_win_import_cert_susp_locations.yml", + "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", + "value": "Suspicious Rundll32 Setupapi.dll Activity" + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_blue_mockingbird.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_blue_mockingbird.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.execution", + "attack.t1112", + "attack.t1047" ] }, - "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", - "value": "Root Certificate Installed From Susp Locations" + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "value": "Blue Mockingbird" + }, + { + "description": "Detects creation of a scheduled task with a GUID like name", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate software naming their tasks as GUIDs" + ], + "filename": "proc_creation_win_schtasks_guid_task_name.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", + "value": "Suspicious Scheduled Task Name As GUID" + }, + { + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/21", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_rundll32_keymgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/NinjaParanoid/status/1516442028963659777", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ] + }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "value": "Suspicious Key Manager Access" }, { "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", @@ -48456,84 +53740,17 @@ "value": "Suspicious Serv-U Process Pattern" }, { - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wsudo_susp_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/M2Team/Privexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", - "value": "Wsudo Suspicious Execution" - }, - { - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", - "falsepositive": [ - "FQDNs that start with a number" - ], - "filename": "proc_creation_win_susp_regsvr32_http_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", - "https://twitter.com/tccontre18/status/1480950986650832903", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "related": [ - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", - "value": "Suspicious Regsvr32 HTTP IP Pattern" - }, - { - "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", + "description": "Detects file download using curl.exe", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/07/05", "falsepositive": [ "Scripts created by developers and admins", - "Administrative activity" + "Administrative activity", + "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" ], "filename": "proc_creation_win_curl_download.yml", - "level": "low", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -48554,8 +53771,8 @@ "type": "related-to" } ], - "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", - "value": "Curl Usage on Windows" + "uuid": "9a517fca-4ba3-4629-9278-a68694697b81", + "value": "File Download Via Curl.EXE" }, { "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", @@ -48590,6 +53807,40 @@ "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", "value": "Potential PowerShell Execution Via DLL" }, + { + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", + "meta": { + "author": "frack113", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", + "value": "Windows Defender Definition Files Removed" + }, { "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", "meta": { @@ -48624,25 +53875,37 @@ "value": "Execution via WorkFolders.exe" }, { - "description": "Detects suspicious child processes spawned by PowerShell", + "description": "Detects suspicious scheduled task creations with commands that are uncommon", "meta": { - "author": "Florian Roth (Nextron Systems), Tim Shelton", - "creation_date": "2022/04/26", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/23", "falsepositive": [ - "Unknown" + "Software installers that run from temporary folders and also install scheduled tasks" ], - "filename": "proc_creation_win_susp_powershell_sub_processes.yml", + "filename": "proc_creation_win_schtasks_susp_pattern.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ankit_anubhav/status/1518835408502620162", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1053.005" + ] }, - "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "value": "Suspicious PowerShell Child Processes" + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "value": "Suspicious Add Scheduled Command Pattern" }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", @@ -48665,76 +53928,50 @@ "attack.t1553.004" ] }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", "value": "Root Certificate Installed" }, { - "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", "meta": { - "author": "pH-T (Nextron Systems)", - "creation_date": "2022/09/01", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/10/08", "falsepositive": [ - "Unknown" + "Legitimate use" ], - "filename": "proc_creation_win_susp_net_use.yml", + "filename": "proc_creation_win_pua_iox.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", - "https://twitter.com/ShadowChasing1/status/1552595370961944576", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" + "https://github.com/EddieIvan01/iox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.command_and_control", + "attack.t1090" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "value": "Suspicious Net Use Command Combo" - }, - { - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "meta": { - "author": "Olaf Hartong", - "creation_date": "2019/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bearlpe_potential_exploitation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bearlpe_potential_exploitation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "value": "Potential BearLPE Exploitation" + "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", + "value": "PUA- IOX Tunneling Tool Execution" }, { "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", @@ -48749,8 +53986,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -48775,6 +54012,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", @@ -48814,95 +54058,38 @@ "value": "Suspicious CustomShellHost Execution" }, { - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_susp_psexesvc_as_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", - "value": "PsExec Service Execution as LOCAL SYSTEM" - }, - { - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks. In order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_abusing_windows_telemetry_for_persistence.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", - "value": "Potential Persistence Execution Via Microsoft Compatibility Appraiser" - }, - { - "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/09", + "creation_date": "2022/06/27", "falsepositive": [ - "Legitmate processes that run at logon. Filter according to your environment" + "Unlikely" ], - "filename": "proc_creation_win_susp_schtasks_schedule_type.yml", + "filename": "proc_creation_win_dllhost_no_cli_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.defense_evasion", + "attack.t1055" ] }, "related": [ { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", - "value": "Suspicious Schtasks Schedule Types" + "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "value": "Dllhost.EXE Execution Anomaly" }, { "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", @@ -48917,8 +54104,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -48926,94 +54113,59 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", "value": "Obfuscated Command Line Using Special Unicode Characters" }, { - "description": "Execute VBscript code that is referenced within the *.bgi file.", + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/20", "falsepositive": [ - "Unknown" + "Command lines that use the same flags" ], - "filename": "proc_creation_win_susp_bginfo.yml", - "level": "medium", + "filename": "proc_creation_win_renamed_createdump.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ - "attack.execution", - "attack.t1059.005", "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1036", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", - "value": "Application Whitelisting Bypass via Bginfo" - }, - { - "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_unquoted_service_search.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "value": "WMIC Unquoted Services Path Lookup" + "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "value": "Renamed CreateDump Utility Execution" }, { "description": "Detects when an admin share is mounted using net.exe", @@ -49036,8 +54188,17 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", - "value": "Windows Admin Share Mounted Via Net.EXE" + "value": "Windows Admin Share Mount Via Net.EXE" }, { "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", @@ -49073,10 +54234,10 @@ "value": "Disable Windows IIS HTTP Logging" }, { - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "description": "Detects UAC bypass method using Windows event viewer", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/11/22", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/03/19", "falsepositive": [ "Unknown" ], @@ -49085,73 +54246,36 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation" - ] - }, - "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", - "value": "UAC Bypass Using Event Viewer RecentViews" - }, - { - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_renamed_adfind.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" ] }, "related": [ { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "value": "Renamed AdFind Detection" + "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", + "value": "UAC Bypass via Event Viewer" }, { - "description": "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", "meta": { "author": "Sittikorn S", "creation_date": "2021/06/22", "falsepositive": [ - "Software that illegaly integrates MegaSync in a renamed form", + "Software that illegally integrates MegaSync in a renamed form", "Administrators that have renamed MegaSync" ], "filename": "proc_creation_win_renamed_megasync.yml", @@ -49177,7 +54301,7 @@ } ], "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", - "value": "Renamed MegaSync" + "value": "Renamed MegaSync Execution" }, { "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", @@ -49194,8 +54318,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -49203,6 +54327,15 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", "value": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, @@ -49247,6 +54380,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ @@ -49258,31 +54398,6 @@ "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", "value": "Baby Shark Activity" }, - { - "description": "Detects suspicious process run from unusual locations", - "meta": { - "author": "juju4, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_run_locations.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://car.mitre.org/wiki/CAR-2013-05-002", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" - ] - }, - "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", - "value": "Suspicious Process Start Locations" - }, { "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", "meta": { @@ -49316,6 +54431,42 @@ "uuid": "1a70042a-6622-4a2b-8958-267625349abf", "value": "Run from a Zip File" }, + { + "description": "Detects some Empire PowerShell UAC bypass methods", + "meta": { + "author": "Ecco", + "creation_date": "2019/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", + "value": "HackTool - Empire PowerShell UAC Bypass" + }, { "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", "meta": { @@ -49350,6 +54501,40 @@ "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", "value": "Possible Shim Database Persistence via sdbinst.exe" }, + { + "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_clip_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "value": "Data Copied To Clipboard Via Clip.EXE" + }, { "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", "meta": { @@ -49363,9 +54548,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -49386,27 +54571,27 @@ "value": "Php Inline Command Execution" }, { - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/28", + "author": "frack113", + "creation_date": "2022/06/04", "falsepositive": [ - "Unknown" + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], - "filename": "proc_creation_win_raspberry_robin_single_dot_ending_file.yml", - "level": "high", + "filename": "proc_creation_win_rundll32_user32_dll.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" + "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml" ], "tags": [ - "attack.execution" + "attack.defense_evasion" ] }, - "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "value": "Raspberry Robin Dot Ending File" + "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", + "value": "Suspicious Workstation Locking via Rundll32" }, { "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", @@ -49422,9 +54607,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://ss64.com/bash/rar.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], "tags": [ @@ -49444,6 +54629,41 @@ "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", "value": "Rar Usage with Password and Compression Level" }, + { + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_pua_runxcmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "93199800-b52a-4dec-b762-75212c196542", + "value": "PUA - RunXCmd Execution" + }, { "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "meta": { @@ -49452,13 +54672,13 @@ "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_regsvr32_no_dll.yml", + "filename": "proc_creation_win_regsvr32_no_dll.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml" ], "tags": [ "attack.defense_evasion", @@ -49479,134 +54699,70 @@ "value": "Regsvr32 Command Line Without DLL" }, { - "description": "Attempts to detect system changes made by Blue Mockingbird", + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", "meta": { - "author": "Trent Liffick (@tliffick)", - "creation_date": "2020/05/14", + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/01/21", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_mal_blue_mockingbird.yml", + "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blue-mockingbird-cryptominer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "value": "Blue Mockingbird" - }, - { - "description": "Detects the execution of whoami with suspicious parents or parameters", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/12", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "filename": "proc_creation_win_susp_whoami_anomaly.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", - "value": "Whoami Execution Anomaly" - }, - { - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_remote_share.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Rundll32", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1564.004" ] }, "related": [ { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", - "value": "Suspicious Regsvr32 Execution From Remote Share" + "uuid": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "value": "Potential Rundll32 Execution With DLL Stored In ADS" }, { - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", + "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/22", + "author": "frack113", + "creation_date": "2021/12/26", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_exploit_lpe_cve_2021_41379.yml", - "level": "critical", + "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/klinix5/InstallerFileTakeOver", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.t1068" + "attack.impact", + "attack.t1485" ] }, "related": [ { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" + "uuid": "4b046706-5789-4673-b111-66f25fe99534", + "value": "Deleted Data Overwritten Via Cipher.EXE" }, { "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", @@ -49633,41 +54789,89 @@ ] }, "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "value": "Suspicious Add User to Remote Desktop Users Group" }, { - "description": "Detects suspicious DACL modifications that can be used to hide services or make them unstopable", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "meta": { - "author": "Jonhnathan Ribeiro, oscd.community", - "creation_date": "2020/10/16", + "author": "frack113", + "creation_date": "2021/12/10", "falsepositive": [ - "Unknown" + "Network administrator computer" ], - "filename": "proc_creation_win_susp_service_dacl_modification.yml", + "filename": "proc_creation_win_pua_nmap_zenmap.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" + "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "value": "PUA - Nmap/Zenmap Execution" + }, + { + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/31", + "falsepositive": [ + "Installation of unsigned packages for testing purposes" + ], + "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion" ] }, - "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "value": "Suspicious Service DACL Modification" + "uuid": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", + "value": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, { "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", @@ -49689,9 +54893,129 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "value": "Process Creation Using Sysnative Folder" }, + { + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "meta": { + "author": "sam0x90", + "creation_date": "2021/08/06", + "falsepositive": [ + "To be determined" + ], + "filename": "proc_creation_win_esentutl_params.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "value": "Esentutl Gather Credentials" + }, + { + "description": "Detects the use of NSudo tool for command execution", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_pua_nsudo.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://nsudo.m2team.org/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", + "value": "PUA - NSudo Execution" + }, + { + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/08/26", + "falsepositive": [ + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + ], + "filename": "proc_creation_win_malware_snatch_ransomware.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_snatch_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", + "value": "Potential Snatch Ransomware Activity" + }, { "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "meta": { @@ -49713,6 +55037,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", "value": "Suspicious GrpConv Execution" }, @@ -49729,8 +55062,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -49750,6 +55083,49 @@ "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "value": "WMI Backdoor Exchange Transport Agent" }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_automated_collection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "value": "Automated Collection Command Prompt" + }, { "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "meta": { @@ -49775,33 +55151,7 @@ ] }, "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", - "value": "Execution of Renamed Remote Utilities RAT (RURAT)" - }, - { - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/18", - "falsepositive": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" - ], - "filename": "proc_creation_win_wpbbin_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", - "https://persistence-info.github.io/Data/wpbbin.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" - ] - }, - "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", - "value": "UEFI Persistence Via Wpbbin - ProcessCreation" + "value": "Renamed Remote Utilities RAT (RURAT) Execution" }, { "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", @@ -49826,6 +55176,13 @@ ] }, "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ @@ -49850,14 +55207,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49952,6 +55309,40 @@ "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "value": "Proxy Execution Via Explorer.exe" }, + { + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_pypykatz.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "value": "HackTool - Pypykatz Credentials Dumping Activity" + }, { "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "meta": { @@ -49983,61 +55374,85 @@ } ], "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", - "value": "CreateMiniDump Hacktool" + "value": "HackTool - CreateMiniDump Execution" }, { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "meta": { - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2021/12/07", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2018/12/27", "falsepositive": [ - "Administrative activity" + "Unknown" ], - "filename": "proc_creation_win_susp_netsh_discovery_command.yml", - "level": "low", + "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ - "attack.discovery", - "attack.t1016" + "attack.execution", + "attack.t1059", + "attack.t1202" ] }, - "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", - "value": "Suspicious Netsh Discovery Command" + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "55f0a3a1-846e-40eb-8273-677371b8d912", + "value": "Outlook EnableUnsafeClientMailRules Setting Enabled" }, { - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", "meta": { - "author": "@ROxPinTeddy, Nasreddine Bencherchali", - "creation_date": "2020/05/12", + "author": "Florian Roth (Nextron Systems), oscd.community", + "creation_date": "2019/01/29", "falsepositive": [ - "Legitimate administrative use" + "Legitimate administration activity" ], - "filename": "proc_creation_win_advanced_ip_scanner.yml", - "level": "medium", + "filename": "proc_creation_win_netsh_port_forwarding_3389.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml" ], "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" ] }, - "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", - "value": "Advanced IP Scanner" + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "value": "RDP Port Forwarding Rule Added Via Netsh.EXE" }, { "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", @@ -50087,8 +55502,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -50096,11 +55511,20 @@ "attack.t1115" ] }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "value": "PowerShell Get-Clipboard Cmdlet Via CLI" }, { - "description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", "meta": { "author": "Bhabesh Raj", "creation_date": "2021/07/30", @@ -50112,8 +55536,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -50131,40 +55555,7 @@ } ], "uuid": "9f107a84-532c-41af-b005-8d12a607639f", - "value": "Cabinet File Expansion" - }, - { - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_schtasks_delete_all.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "value": "Delete All Scheduled Tasks" + "value": "Suspicious Cabinet File Expansion" }, { "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", @@ -50190,6 +55581,36 @@ "attack.t1087" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "value": "Chopper Webshell Process Pattern" }, @@ -50225,39 +55646,47 @@ "value": "TropicTrooper Campaign November 2018" }, { - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/12", + "author": "pH-T (Nextron Systems)", + "creation_date": "2022/03/01", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_susp_mofcomp_execution.yml", - "level": "medium", + "filename": "proc_creation_win_powershell_base64_load.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_load.yml" ], "tags": [ "attack.execution", - "attack.t1218" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", - "value": "Suspicious Mofcomp Execution" + "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "value": "Suspicious Encoded Obfuscated LOAD String" }, { "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", @@ -50273,8 +55702,8 @@ "logsource.product": "windows", "refs": [ "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" ], "tags": "No established tags" @@ -50304,44 +55733,17 @@ "attack.g0044" ] }, - "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", - "value": "Winnti Malware HK University Campaign" - }, - { - "description": "Detects netsh commands that turns off the Windows firewall", - "meta": { - "author": "Fatih Sirin", - "creation_date": "2019/11/01", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_susp_netsh_firewall_disable.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" - ] - }, "related": [ { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "value": "Firewall Disabled via Netsh" + "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", + "value": "Winnti Malware HK University Campaign" }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", @@ -50376,6 +55778,54 @@ "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, + { + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "meta": { + "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/02/18", + "falsepositive": [ + "Unlikely, because no one should dump the process memory in that way" + ], + "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", + "value": "Process Dumping Via Comsvcs.DLL" + }, { "description": "Detects suspicious execution of Regasm/Regsvcs utilities", "meta": { @@ -50389,8 +55839,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], @@ -50424,10 +55874,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/defaultnamehere/cookie_crimes/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -50448,51 +55898,37 @@ "value": "Browser Started with Remote Debugging" }, { - "description": "Detects suspicious PowerShell invocation command parameters", + "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/05", + "author": "frack113", + "creation_date": "2022/08/20", "falsepositive": [ - "Unknown" + "Legitimate use" ], - "filename": "proc_creation_win_susp_powershell_invocation_specific.yml", + "filename": "proc_creation_win_pua_webbrowserpassview.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml" ], "tags": [ - "attack.defense_evasion" + "attack.credential_access", + "attack.t1555.003" ] }, - "uuid": "536e2947-3729-478c-9903-745aaffe60d2", - "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", - "falsepositive": [ - "Very unlikely" - ], - "filename": "proc_creation_win_pingback_backdoor.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ] - }, - "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "value": "Pingback Backdoor" + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "value": "PUA - WebBrowserPassView Execution" }, { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", @@ -50500,18 +55936,19 @@ "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "creation_date": "2019/06/15", "falsepositive": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/christophetd/status/1164506034720952320", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -50533,71 +55970,37 @@ "value": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries" }, { - "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/20", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_bootconf_mod.yml", - "level": "high", + "filename": "proc_creation_win_hktl_safetykatz.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml" ], "tags": [ - "attack.impact", - "attack.t1490" + "attack.credential_access", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "value": "Modification of Boot Configuration" - }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/05/24", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "filename": "proc_creation_win_susp_powershell_encoded_cmd_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns" + "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", + "value": "HackTool - SafetyKatz Execution" }, { "description": "Detect the harvesting of wifi credentials using netsh.exe", @@ -50605,7 +56008,7 @@ "author": "Andreas Hunkeler (@Karneades), oscd.community", "creation_date": "2020/04/20", "falsepositive": [ - "Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason" + "Unknown" ], "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", "level": "medium", @@ -50621,8 +56024,63 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", - "value": "Harvesting of Wifi Credentials Using netsh.exe" + "value": "Harvesting Of Wifi Credentials Via Netsh.EXE" + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "proc_creation_win_pua_advanced_ip_scanner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", + "value": "PUA - Advanced IP Scanner Execution" }, { "description": "Detects suspicious IIS native-code module installations via command line", @@ -50646,41 +56104,55 @@ "attack.t1505.003" ] }, - "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", - "value": "IIS Native-Code Module Command Line Installation" - }, - { - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_folder_combos.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, "related": [ { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "value": "Schtasks From Suspicious Folders" + "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "value": "IIS Native-Code Module Command Line Installation" + }, + { + "description": "Detects suspicious process related to rundll32 based on arguments", + "meta": { + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_rundll32_susp_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479106975967240209", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "value": "Suspicious Rundll32 Activity" }, { "description": "Detects Access to Domain Group Policies stored in SYSVOL", @@ -50716,66 +56188,6 @@ "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "value": "Suspicious SYSVOL Domain Group Policy Access" }, - { - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/21", - "falsepositive": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" - ], - "filename": "proc_creation_win_susp_schtasks_env_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "81325ce1-be01-4250-944f-b4789644556f", - "value": "Suspicious Schtasks From Env Var Folder" - }, - { - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_service_dacl_modification_set_service.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.003" - ] - }, - "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", - "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" - }, { "description": "Detects the export of a crital Registry key to a file.", "meta": { @@ -50798,41 +56210,17 @@ "attack.t1012" ] }, - "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", - "value": "Exports Critical Registry Keys To a File" - }, - { - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_flags_anomaly.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, "related": [ { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", - "value": "Regsvr32 Flags Anomaly" + "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", + "value": "Exports Critical Registry Keys To a File" }, { "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", @@ -50847,8 +56235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], @@ -50861,30 +56249,38 @@ "value": "Wab/Wabmig Unusual Parent Or Child Processes" }, { - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", + "description": "Detects the use of Windows Credential Editor (WCE)", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/06/12", + "creation_date": "2019/12/31", "falsepositive": [ - "Unknown" + "Another service that uses a single -s command line switch" ], - "filename": "proc_creation_win_plugx_susp_exe_locations.yml", - "level": "high", + "filename": "proc_creation_win_hktl_wce.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", - "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml" ], "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" ] }, - "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2", - "value": "Executable Used by PlugX in Uncommon Location" + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", + "value": "HackTool - Windows Credential Editor (WCE) Execution" }, { "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", @@ -50899,8 +56295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -50909,41 +56305,17 @@ "attack.t1546.008" ] }, - "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", - "value": "Suspicious Debugger Registration Cmdline" - }, - { - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "meta": { - "author": "John Lambert (rule)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_hidden_b64_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", - "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", + "value": "Suspicious Debugger Registration Cmdline" }, { "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", @@ -50980,39 +56352,6 @@ "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "value": "LSASS Memory Dumping" }, - { - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "meta": { - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", - "creation_date": "2021/02/02", - "falsepositive": [ - "Admin activity" - ], - "filename": "proc_creation_win_sus_auditpol_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "related": [ - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", - "value": "Suspicious Auditpol Usage" - }, { "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", "meta": { @@ -51026,8 +56365,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -51047,39 +56386,6 @@ "uuid": "efec536f-72e8-4656-8960-5e85d091345b", "value": "Set Suspicious Files as System Files Using Attrib" }, - { - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_regedit_trustedinstaller.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "related": [ - { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", - "value": "Regedit as Trusted Installer" - }, { "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", "meta": { @@ -51093,8 +56399,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://securelist.com/schroedingers-petya/78870/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -51132,48 +56438,13 @@ "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", "value": "NotPetya Ransomware Activity" }, - { - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/09/02", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_frp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://asec.ahnlab.com/en/38156/", - "https://github.com/fatedier/frp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "related": [ - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", - "value": "Fast Reverse Proxy (FRP)" - }, { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { - "author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)", + "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "creation_date": "2019/06/15", "falsepositive": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "filename": "proc_creation_win_renamed_binary.yml", "level": "medium", @@ -51278,130 +56549,38 @@ "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, { - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", "meta": { - "author": "frack113", - "creation_date": "2023/01/13", + "author": "Bhabesh Raj", + "creation_date": "2021/03/03", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lsa_disablerestrictedadmin.yml", + "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml" + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26857_msexchange.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "28ac00d6-22d9-4a3c-927f-bbd770104573", - "value": "Disabled RestrictedAdminMode For RDS - ProcCreation" - }, - { - "description": "Dump sam, system or security hives using REG.exe utility", - "meta": { - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "filename": "proc_creation_win_grabbing_sensitive_hives_via_reg.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" + "attack.t1203", + "attack.execution", + "cve.2021.26857" ] }, "related": [ { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "value": "Grabbing Sensitive Hives via Reg Utility" - }, - { - "description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "meta": { - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", - "creation_date": "2021/02/02", - "falsepositive": [ - "Legitimate admin activity" - ], - "filename": "proc_creation_win_susp_adfind_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" - ] - }, - "related": [ - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", - "value": "AdFind Usage Detection" + "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "value": "Potential CVE-2021-26857 Exploitation Attempt" }, { "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", @@ -51416,11 +56595,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://blog.alyac.co.kr/1901", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -51433,6 +56612,13 @@ ] }, "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -51505,99 +56691,88 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f117933c-980c-4f78-b384-e3d838111165", - "value": "Windows Share Mounted Via Net.EXE" + "value": "Windows Share Mount Via Net.EXE" }, { - "description": "Detect use of WebBrowserPassView.exe", + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", "meta": { - "author": "frack113", - "creation_date": "2022/08/20", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/23", "falsepositive": [ - "Legitimate use" + "Unknown" ], - "filename": "proc_creation_win_webbrowserpassview.yml", + "filename": "proc_creation_win_certoc_load_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml" + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ - "attack.credential_access", - "attack.t1555.003" + "attack.defense_evasion", + "attack.t1218" ] }, "related": [ { - "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", - "value": "Launch WebBrowserPassView Executable" + "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", + "value": "DLL Loaded via CertOC.EXE" }, { - "description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", "meta": { - "author": "frack113", - "creation_date": "2022/04/17", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/11/22", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_7zip_cve_2022_29072.yml", - "level": "high", + "filename": "proc_creation_win_exploit_cve_2021_41379.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kagancapar/status/1515219358234161153", - "https://github.com/kagancapar/CVE-2022-29072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" + "https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/", + "https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_41379.yml" ], "tags": [ - "cve.2022.29072" - ] - }, - "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "value": "Suspicious 7zip Subprocess" - }, - { - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_quarks_pwdump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/quarkslab/quarkspwdump", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.privilege_escalation", + "attack.t1068" ] }, "related": [ { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0685b176-c816-4837-8e7b-1216f346636b", - "value": "Quarks PwDump Usage" + "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", + "value": "Potential CVE-2021-41379 Exploitation Attempt" }, { "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", @@ -51664,8 +56839,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" ], "tags": [ @@ -51702,149 +56877,141 @@ "value": "Shadow Copies Creation Using Operating Systems Utilities" }, { - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/20", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/12/27", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_hack_safetykatz.yml", - "level": "critical", + "filename": "proc_creation_win_hktl_htran_or_natbypass.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" + "https://github.com/cw1997/NATBypass", + "https://github.com/HiwinCN/HTran", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.command_and_control", + "attack.t1090", + "attack.s0040" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", - "value": "SafetyKatz Hack Tool" + "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "value": "HackTool - Htran/NATBypass Execution" }, { - "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", "meta": { - "author": "frack113", - "creation_date": "2022/01/01", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/24", "falsepositive": [ - "Unknown" + "Legitimate use by administrators" ], - "filename": "proc_creation_win_wmic_remote_service.yml", + "filename": "proc_creation_win_pua_nircmd.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ "attack.execution", - "attack.t1047" + "attack.t1569.002", + "attack.s0029" ] }, "related": [ { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", - "value": "WMI Reconnaissance List Remote Services" + "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "value": "PUA - NirCmd Execution" }, { - "description": "Detects Archer malware invocation via rundll32", + "description": "Detects suspicious renamed SysInternals DebugView execution", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/06/03", + "creation_date": "2020/05/28", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_crime_fireball.yml", + "filename": "proc_creation_win_renamed_sysinternals_debugview.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" + "https://www.epicturla.com/blog/sysinturla", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml" ], "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.011" + "attack.resource_development", + "attack.t1588.002" ] }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", - "value": "Fireball Archer Install" + "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "value": "Renamed SysInternals DebugView Execution" }, { - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "meta": { - "author": "Nik Seetharaman, frack113", - "creation_date": "2019/01/16", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/03/05", "falsepositive": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" + "Unknown" ], - "filename": "proc_creation_win_workflow_compiler.yml", + "filename": "proc_creation_win_rundll32_inline_vbs.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml" ], "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" + "attack.t1055" ] }, "related": [ { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "value": "Microsoft Workflow Compiler" + "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "value": "Suspicious Rundll32 Invoking Inline VBScript" }, { "description": "Attackers can use print.exe for remote file copy", @@ -51859,8 +57026,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" ], "tags": [ @@ -51893,8 +57060,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -51902,6 +57069,15 @@ "attack.t1124" ] }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", "value": "Use of W32tm as Timer" }, @@ -51941,6 +57117,32 @@ "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", "value": "Elise Backdoor" }, + { + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "meta": { + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_exploit_via_directory_traversal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444", + "https://twitter.com/sbousseaden/status/1531653369546301440", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exploit_via_directory_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", + "value": "Potential Exploitation Attempt From Office Application" + }, { "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", "meta": { @@ -51996,6 +57198,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", "value": "Webshell Recon Detection Via CommandLine & Processes" }, @@ -52045,8 +57256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -52075,128 +57286,55 @@ "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" }, { - "description": "Detects suspicious renamed SysInternals DebugView execution", + "description": "Execute VBscript code that is referenced within the *.bgi file.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/05/28", + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_renamed_debugview.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.epicturla.com/blog/sysinturla", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "related": [ - { - "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", - "value": "Renamed SysInternals Debug View" - }, - { - "description": "Detects suspicious mshta process patterns", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_mshta_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://en.wikipedia.org/wiki/HTML_Application", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ] - }, - "related": [ - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "value": "Suspicious MSHTA Process Patterns" - }, - { - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "meta": { - "author": "frack113", - "creation_date": "2022/12/25", - "falsepositive": [ - "Legitimate use of the library" - ], - "filename": "proc_creation_win_ps_download_com_cradles.yml", + "filename": "proc_creation_win_lolbin_bginfo.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml" - ], - "tags": "No established tags" - }, - "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", - "value": "Potential COM Objects Download Cradles Usage - Process Creation" - }, - { - "description": "Detects the use of 3proxy, a tiny free proxy server", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/13", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_3proxy_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/3proxy/3proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.execution", + "attack.t1059.005", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ] }, "related": [ { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", - "value": "3Proxy Usage" + "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", + "value": "Application Whitelisting Bypass via Bginfo" }, { "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", @@ -52211,9 +57349,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -52237,9 +57375,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -52255,55 +57393,18 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "value": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" }, - { - "description": "Detects a suspicious curl process start the adds a file to a web request", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/03", - "falsepositive": [ - "Scripts created by developers and admins" - ], - "filename": "proc_creation_win_susp_curl_fileupload.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://curl.se/docs/manpage.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", - "value": "Suspicious Curl File Upload" - }, { "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "meta": { @@ -52351,8 +57452,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Tylous/ZipExec", "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" ], "tags": [ @@ -52387,7 +57488,7 @@ "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2019/10/24", "falsepositive": [ - "Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)" + "Unlikely" ], "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", "level": "high", @@ -52431,37 +57532,37 @@ "value": "DNS Exfiltration and Tunneling Tools Execution" }, { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", "meta": { - "author": "frack113", - "creation_date": "2022/02/13", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/07/13", "falsepositive": [ - "Legitimate use" + "Unknown" ], - "filename": "proc_creation_win_gotoopener.yml", - "level": "medium", + "filename": "proc_creation_win_regsvr32_flags_anomaly.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml" + "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.defense_evasion", + "attack.t1218.010" ] }, "related": [ { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", - "value": "Use of GoToAssist Remote Access Software" + "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "value": "Regsvr32 Flags Anomaly" }, { "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", @@ -52496,6 +57597,118 @@ "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "value": "Findstr GPP Passwords" }, + { + "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "filename": "proc_creation_win_curl_fileupload.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "value": "Potential Data Exfiltration Via Curl.EXE" + }, + { + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "meta": { + "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", + "creation_date": "2021/02/24", + "falsepositive": [ + "Admin activity (unclear what they do nowadays with finger.exe)" + ], + "filename": "proc_creation_win_finger_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", + "value": "Finger.exe Suspicious Invocation" + }, + { + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_sys.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "value": "Suspicious Rundll32 Activity Invoking Sys File" + }, { "description": "Detects encoded base64 MZ header in the commandline", "meta": { @@ -52520,39 +57733,73 @@ "value": "Base64 MZ Header In CommandLine" }, { - "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", "meta": { - "author": "frack113", - "creation_date": "2021/11/29", + "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", + "creation_date": "2021/08/30", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_regsvr32_image.yml", + "filename": "proc_creation_win_hktl_uacme.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.privilege_escalation", + "attack.t1548.002" ] }, "related": [ { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", - "value": "Suspicious Regsvr32 Execution With Image Extension" + "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "value": "HackTool - UACMe Akagi Execution" + }, + { + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/05/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "value": "Potential Arbitrary Command Execution Using Msdt.EXE" }, { "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", @@ -52589,31 +57836,53 @@ "value": "Remote Code Execute via Winrm.vbs" }, { - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", "meta": { - "author": "Ecco, E.M. Anhaus, oscd.community", - "creation_date": "2019/09/26", + "author": "Kirill Kiryanov, oscd.community", + "creation_date": "2019/10/23", "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Unlikely" ], - "filename": "proc_creation_win_susp_fsutil_usage.yml", + "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ] }, - "uuid": "add64136-62e5-48ea-807e-88638d02df1e", - "value": "Fsutil Suspicious Invocation" + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "value": "Sysmon Driver Unloaded Via Fltmc.EXE" }, { "description": "Detects a suspicious copy command to or from an Admin share or remote", @@ -52644,12 +57913,26 @@ ] }, "related": [ + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", @@ -52690,20 +57973,53 @@ "value": "UAC Bypass via ICMLuaUtil" }, { - "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_adcspwn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/ADCSPwn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1557.001" + ] + }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", + "value": "HackTool - ADCSPwn Execution" + }, + { + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/09/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_sysmon_disable_sharpevtmute.yml", + "filename": "proc_creation_win_hktl_sharpevtmute.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml" ], "tags": [ "attack.defense_evasion", @@ -52720,153 +58036,81 @@ } ], "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", - "value": "SharpEvtMute EvtMuteHook Load" + "value": "HackTool - SharpEvtMute Execution" }, { - "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "meta": { - "author": "Sai Prashanth Pulisetti @pulisettis", - "creation_date": "2022/12/21", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/04/23", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_impersonate_tool.yml", - "level": "medium", + "filename": "proc_creation_win_powershell_getprocess_lsass.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", - "https://github.com/sensepost/impersonate", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml" + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1134.001", - "attack.t1134.003" + "attack.credential_access", + "attack.t1552.004" ] }, "related": [ { - "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", - "value": "Impersonate Execution" + "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "value": "PowerShell Get-Process LSASS" }, { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/17", + "author": "Ilya Krestinichev", + "creation_date": "2022/11/03", "falsepositive": [ - "Rare intended use of hidden services" + "False positive could occur in admin scripts that execute inline" ], - "filename": "proc_creation_win_using_set_service_to_hide_services.yml", + "filename": "proc_creation_win_susp_ping_del_combined_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", - "value": "Abuse of Service Permissions to Hide Services Via Set-Service" - }, - { - "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_adidnsdump.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] - }, - "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", - "value": "Suspicious Execution of Adidnsdump" - }, - { - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_dinjector.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/snovvcrash/DInjector", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del_combined_execution.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1070.004" ] }, - "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "value": "DInject PowerShell Cradle CommandLine Flags" - }, - { - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/04/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_detecting_fake_instances_of_hxtsr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "4e762605-34a8-406d-b72e-c1a089313320", - "value": "Detecting Fake Instances Of Hxtsr.exe" + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "value": "Suspicious Ping/Del Command Combination" }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", "meta": { - "author": "frack113, Nasreddine Bencherchali", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/06", "falsepositive": [ "Unknown" @@ -52876,9 +58120,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -52898,6 +58142,125 @@ "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "value": "Use NTFS Short Name in Image" }, + { + "description": "Detects execution of curl.exe with custom useragent options", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_curl_useragent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", + "value": "Curl.EXE Execution With Custom UserAgent" + }, + { + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "meta": { + "author": "Georg Lauenstein", + "creation_date": "2022/09/19", + "falsepositive": [ + "Other programs that use the same command line flags" + ], + "filename": "proc_creation_win_hktl_winpeas.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "value": "HackTool - winPEAS Execution" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", + "value": "Root Certificate Installed From Susp Locations" + }, { "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", "meta": { @@ -52912,8 +58275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -52921,58 +58284,18 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "value": "Command Line Path Traversal Evasion" }, - { - "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", - "meta": { - "author": "Teymur Kheirkhabarov, Florian Roth", - "creation_date": "2019/10/23", - "falsepositive": [ - "Possible name overlap with NT AUHTORITY substring to cover all languages" - ], - "filename": "proc_creation_win_whoami_as_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "80167ada-7a12-41ed-b8e9-aa47195c66a1", - "value": "Run Whoami as SYSTEM" - }, - { - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/02/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shimcache_flush.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "b0524451-19af-4efa-a46f-562a977f792e", - "value": "ShimCache Flush" - }, { "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "meta": { @@ -52986,8 +58309,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" ], "tags": [ @@ -53007,6 +58330,40 @@ "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "value": "InfDefaultInstall.exe .inf Execution" }, + { + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_change.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "value": "Suspicious Modification Of Scheduled Tasks" + }, { "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", "meta": { @@ -53021,8 +58378,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -53055,8 +58412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -53092,11 +58449,49 @@ "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" ], - "tags": "No established tags" + "tags": [ + "attack.privilege_escalation" + ] }, "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", "value": "Suspicious RunAs-Like Flag Combination" }, + { + "description": "Detects netsh commands that turns off the Windows firewall", + "meta": { + "author": "Fatih Sirin", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate administration activity" + ], + "filename": "proc_creation_win_netsh_fw_disable.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004", + "attack.s0108" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", + "value": "Firewall Disabled via Netsh.EXE" + }, { "description": "Detects execution of the IEExec utility to download payloads", "meta": { @@ -53118,203 +58513,6 @@ "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "value": "Abusing IEExec To Download Payloads" }, - { - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ps_encoded_obfusc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", - "value": "Suspicious PowerShell Obfuscated PowerShell Code" - }, - { - "description": "Detects automated lateral movement by Turla group", - "meta": { - "author": "Markus Neis", - "creation_date": "2017/11/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_turla_commands_medium.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", - "value": "Automated Turla Group Lateral Movement" - }, - { - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", - "meta": { - "author": "frack113", - "creation_date": "2021/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_alternate_data_streams.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "related": [ - { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", - "value": "Execute From Alternate Data Streams" - }, - { - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_modify_group_policy_settings.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" - ] - }, - "related": [ - { - "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", - "value": "Modify Group Policy Settings" - }, - { - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/05/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_msdt.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "value": "Potential Arbitrary Command Execution Using MSDT.EXE" - }, - { - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_enumeration_for_credentials_in_registry.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.002" - ] - }, - "related": [ - { - "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", - "value": "Enumeration for Credentials in Registry" - }, { "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", "meta": { @@ -53348,6 +58546,41 @@ "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "value": "Custom Class Execution via Xwizard" }, + { + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_disable.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "value": "Disable Important Scheduled Task" + }, { "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", "meta": { @@ -53364,8 +58597,8 @@ "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -53381,6 +58614,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", @@ -53399,9 +58639,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -53430,46 +58670,26 @@ "value": "UNC2452 PowerShell Pattern" }, { - "description": "Detect possible Sysmon driver unload", + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "meta": { - "author": "Kirill Kiryanov, oscd.community", - "creation_date": "2019/10/23", + "author": "frack113", + "creation_date": "2022/12/25", "falsepositive": [ - "Unknown" + "Legitimate use of the library" ], - "filename": "proc_creation_win_sysmon_driver_unload.yml", - "level": "high", + "filename": "proc_creation_win_powershell_download_com_cradles.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" - ] + "tags": "No established tags" }, - "related": [ - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "value": "Sysmon Driver Unload" + "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", + "value": "Potential COM Objects Download Cradles Usage - Process Creation" }, { "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", @@ -53484,8 +58704,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -53516,6 +58736,15 @@ "attack.t1546.001" ] }, + "related": [ + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "value": "Change Default File Association" }, @@ -53591,8 +58820,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], @@ -53604,70 +58833,58 @@ "value": "Start of NT Virtual DOS Machine" }, { - "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "meta": { - "author": "@41thexplorer, Microsoft Defender ATP", - "creation_date": "2018/11/20", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_apt_unidentified_nov_18.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7453575c-a747-40b9-839b-125a0aae324b", - "value": "Unidentified Attacker November 2018" - }, - { - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/09", + "author": "frack113", + "creation_date": "2021/12/13", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_powershell_obfuscation_via_utf8.yml", + "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1281103918693482496", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.impact", + "attack.t1490" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", - "value": "Potential PowerShell Obfuscation Via WCHAR" + "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "value": "SystemStateBackup Deleted Using Wbadmin.EXE" + }, + { + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "meta": { + "author": "pH-T (Nextron Systems)", + "creation_date": "2022/07/15", + "falsepositive": [ + "Software installation" + ], + "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml" + ], + "tags": "No established tags" + }, + "uuid": "970823b7-273b-460a-8afc-3a6811998529", + "value": "Uncommon One Time Only Scheduled Task At 00:00" }, { "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", @@ -53693,6 +58910,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "value": "Suspicious Driver Install by pnputil.exe" }, @@ -53729,74 +58955,6 @@ "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", "value": "Use of UltraVNC Remote Access Software" }, - { - "description": "Detects creation of a scheduled task with a GUID like name", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/31", - "falsepositive": [ - "Legitimate software naming their tasks as GUIDs" - ], - "filename": "proc_creation_win_susp_guid_task_name.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", - "value": "Suspicious Scheduled Task Name As GUID" - }, - { - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_evil_winrm.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Hackplayers/evil-winrm", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "related": [ - { - "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", - "value": "WinRM Access with Evil-WinRM" - }, { "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", "meta": { @@ -53820,6 +58978,13 @@ ] }, "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ @@ -53831,6 +58996,39 @@ "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "value": "Scheduled Task WScript VBScript" }, + { + "description": "Detects usage of wmic to start or stop a service", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_service_manipulation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "value": "Service Started/Stopped Via Wmic.EXE" + }, { "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "meta": { @@ -53844,8 +59042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -53855,6 +59053,29 @@ "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "value": "Suspicious Windows App Activity" }, + { + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/n1nj4sec/status/1421190238081277959", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "value": "Mshtml DLL RunHTMLApplication Abuse" + }, { "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", "meta": { @@ -53964,35 +59185,50 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "value": "Non-privileged Usage of Reg or Powershell" }, { - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/19", + "author": "frack113", + "creation_date": "2021/12/16", "falsepositive": [ - "Rare legitimate add to registry via cli (to these locations)" + "Unknown" ], - "filename": "proc_creation_win_susp_reg_add.yml", + "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" + "attack.discovery", + "attack.t1518.001" ] }, - "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "value": "Reg Add Suspicious Paths" + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", + "value": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, { "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", @@ -54007,8 +59243,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -54048,138 +59284,120 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, { - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "meta": { - "author": "elhoim", - "creation_date": "2022/05/05", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_regsvr32_spawn_explorer.yml", + "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", - "https://www.echotrail.io/insights/search/regsvr32.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.010" + "attack.t1027" ] }, "related": [ { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "value": "Regsvr32 Spawning Explorer" + "uuid": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", + "value": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" }, { - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "description": "Detection well-known mimikatz command line arguments", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "creation_date": "2019/10/22", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_high_integrity_sdclt.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", - "value": "High Integrity Sdclt Process" - }, - { - "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/08", - "falsepositive": [ - "Other powershell scripts that call nslookup.exe" - ], - "filename": "proc_creation_win_dnscat2_powershell_implementation.yml", + "filename": "proc_creation_win_hktl_mimikatz_command_line.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/lukebaggett/dnscat2-powershell", - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", - "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1071", - "attack.t1071.004", - "attack.t1001.003", - "attack.t1041" + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" ] }, "related": [ { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", - "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" + "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "value": "HackTool - Mimikatz Execution" }, { "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", @@ -54222,76 +59440,6 @@ "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "value": "Node Process Executions" }, - { - "description": "Detects WMIC executing suspicious or recon commands", - "meta": { - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", - "creation_date": "2019/01/16", - "falsepositive": [ - "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" - ], - "filename": "proc_creation_win_susp_wmic_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", - "value": "Suspicious WMIC Execution" - }, - { - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_change.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "value": "Suspicious Modification Of Scheduled Tasks" - }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "meta": { @@ -54305,8 +59453,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -54328,37 +59476,38 @@ "value": "Potential PowerShell Downgrade Attack" }, { - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/12", + "author": "frack113", + "creation_date": "2022/08/14", "falsepositive": [ - "Unknown" + "Legitimate administration activity", + "Software installations and removal" ], - "filename": "proc_creation_win_crackmapexec_patterns.yml", - "level": "high", + "filename": "proc_creation_win_netsh_fw_delete_rule.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" + "https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1562.004" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", - "value": "CrackMapExec Process Patterns" + "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "value": "Firewall Rule Deleted Via Netsh.EXE" }, { "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", @@ -54396,48 +59545,6 @@ "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "value": "Suspicious Copy From or To System32" }, - { - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/04/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_hiding_malware_in_fonts_folder.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" - ], - "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" - ] - }, - "related": [ - { - "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", - "value": "Writing Of Malicious Files To The Fonts Folder" - }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { @@ -54462,6 +59569,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -54473,72 +59587,6 @@ "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", "value": "Invoke-Obfuscation Via Use MSHTA" }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/11", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_logmein.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", - "value": "Use of LogMeIn Remote Access Software" - }, - { - "description": "Detects powershell scripts that import modules from suspicious directories", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_import_module_susp_dirs.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", - "value": "Import PowerShell Modules From Suspicious Directories - ProcCreation" - }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { @@ -54606,6 +59654,109 @@ "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "value": "Set Windows System File with Attrib" }, + { + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "meta": { + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/10/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_sc_service_path_modification.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", + "value": "Suspicious Service Path Modification" + }, + { + "description": "Detects suspicious process related to rundll32 based on arguments", + "meta": { + "author": "frack113, Zaw Min Htun (ZETA)", + "creation_date": "2021/12/04", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_rundll32_script_run.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "value": "Suspicious Rundll32 Script in CommandLine" + }, + { + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "value": "Remote CHM File Download/Execution Via HH.EXE" + }, { "description": "Detects automated lateral movement by Turla group", "meta": { @@ -54640,6 +59791,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", @@ -54679,72 +59851,84 @@ "value": "Suspicious Extrac32 Alternate Data Stream Execution" }, { - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", + "creation_date": "2021/02/11", "falsepositive": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" ], - "filename": "proc_creation_win_susp_pressynkey_lolbin.yml", + "filename": "proc_creation_win_logman_disable_eventlog.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml" + "https://ss64.com/nt/logman.html", + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001", + "attack.t1070.001" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "value": "NodejsTools PressAnyKey Lolbin" + "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "value": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, { - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "description": "Detects uninstallation or termination of security products using the WMIC utility", "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/01/30", "falsepositive": [ - "Unknown" + "Legitimate administration" ], - "filename": "proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml", - "level": "medium", + "filename": "proc_creation_win_wmic_uninstall_security_products.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml" + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", - "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" + "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "value": "Potential Tampering With Security Products Via WMIC" }, { "description": "Detects audio capture via PowerShell Cmdlet.", @@ -54768,11 +59952,107 @@ "attack.t1123" ] }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "value": "Audio Capture via PowerShell" }, { - "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/05/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_maze_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_maze_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "value": "Potential Maze Ransomware Activity" + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/11/10", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "435e10e4-992a-4281-96f3-38b11106adde", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" + }, + { + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", @@ -54784,10 +60064,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nodejs.org/api/cli.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -54805,41 +60085,7 @@ } ], "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", - "value": "Node.exe Process Abuse" - }, - { - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/01/09", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "proc_creation_win_susp_ps_appdata.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", - "value": "PowerShell Script Run in AppData" + "value": "Potential Arbitrary Code Execution Via Node.EXE" }, { "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", @@ -54855,8 +60101,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -54890,8 +60136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -54916,6 +60162,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", @@ -54955,6 +60208,41 @@ "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "value": "Fsutil Behavior Set SymlinkEvaluation" }, + { + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", + "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_plugx_susp_exe_locations.yml" + ], + "tags": [ + "attack.s0013", + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2", + "value": "Potential PlugX Activity" + }, { "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "meta": { @@ -54989,27 +60277,92 @@ "value": "Findstr LSASS" }, { - "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", + "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/30", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/11", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_sharp_ldap_monitor.yml", - "level": "medium", + "filename": "proc_creation_win_lolbin_devinit.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/p0dalirius/LDAPmonitor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml" + "https://twitter.com/mrd0x/status/1460815932402679809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devinit.yml" ], "tags": [ - "attack.discovery" + "attack.execution", + "attack.defense_evasion", + "attack.t1218" ] }, - "uuid": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", - "value": "SharpLDAPmonitor Execution" + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90d50722-0483-4065-8e35-57efaadd354d", + "value": "DevInit Lolbin Download" + }, + { + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_dinjector.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/snovvcrash/DInjector", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "value": "HackTool - DInjector PowerShell Cradle Execution" + }, + { + "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/04", + "falsepositive": [ + "Legitimate use of one of these tools" + ], + "filename": "proc_creation_win_hktl_execution_via_imphashes.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml" + ], + "tags": "No established tags" + }, + "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "value": "Suspicious Hacktool Execution - Imphash" }, { "description": "Detects use of executionpolicy option to set insecure policies", @@ -55024,10 +60377,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -55060,8 +60413,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], @@ -55070,43 +60423,17 @@ "attack.t1112" ] }, - "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", - "value": "Run Once Task Execution as Configured in Registry" - }, - { - "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", - "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community", - "creation_date": "2019/01/29", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_netsh_port_fwd_3389.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ] - }, "related": [ { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "value": "Netsh RDP Port Forwarding" + "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "value": "Run Once Task Execution as Configured in Registry" }, { "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", @@ -55132,6 +60459,48 @@ "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "value": "Suspicious Electron Application Child Processes" }, + { + "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", + "meta": { + "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", + "creation_date": "2022/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_powershell_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b66474aa-bd92-4333-a16c-298155b120df", + "value": "Potential Persistence Via Powershell Search Order Hijacking - Task" + }, { "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", "meta": { @@ -55163,90 +60532,30 @@ } ], "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", - "value": "Tor Client or Tor Browser Use" + "value": "Tor Client/Browser Execution" }, { - "description": "Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)", + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", "meta": { - "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2020/02/18", - "falsepositive": [ - "Unlikely, because no one should dump the process memory in that way" - ], - "filename": "proc_creation_win_process_dump_rundll32_comsvcs.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", - "value": "Process Dump via Rundll32 and Comsvcs.dll" - }, - { - "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "creation_date": "2022/10/10", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_etw_modification_cmdline.yml", + "filename": "proc_creation_win_hktl_pchunter.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "http://www.xuetr.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] + "tags": "No established tags" }, - "related": [ - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "41421f44-58f9-455d-838a-c398859841d4", - "value": "ETW Logging Tamper In .NET Processes" + "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "value": "HackTool - PCHunter Execution" }, { "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", @@ -55282,20 +60591,61 @@ "value": "Potential WinAPI Calls Via CommandLine" }, { - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "description": "Local accounts, System Owner/User discovery using operating systems utilities", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/23", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" + "Legitimate administrator or user enumerates local users for legitimate reason" ], - "filename": "proc_creation_win_susp_schtasks_parent.yml", - "level": "medium", + "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1087.001" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "502b42de-4306-40b4-9596-6f590c81f073", + "value": "Local Accounts Discovery" + }, + { + "description": "schtasks.exe create task from user AppData\\Local\\Temp", + "meta": { + "author": "frack113", + "creation_date": "2021/11/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_user_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_user_temp.yml" ], "tags": [ "attack.execution", @@ -55311,11 +60661,11 @@ "type": "related-to" } ], - "uuid": "9494479d-d994-40bf-a8b1-eea890237021", - "value": "Suspicious Add Scheduled Task Parent" + "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", + "value": "Suspicious Add Scheduled Task From User AppData Temp" }, { - "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", "meta": { "author": "David Burkett, Florian Roth", "creation_date": "2019/12/28", @@ -55323,7 +60673,7 @@ "Rare System Admin Activity" ], "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", - "level": "critical", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -55346,7 +60696,118 @@ } ], "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", - "value": "Trickbot Malware Recon Activity" + "value": "Trickbot Malware Reconnaissance Activity" + }, + { + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "meta": { + "author": "John Lambert (rule)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + }, + { + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", + "value": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" + }, + { + "description": "Detects new process creation using WMIC via the \"process call create\" flag", + "meta": { + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_process_creation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/blog/wmic-for-incident-response/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", + "value": "New Process Created Via Wmic.EXE" }, { "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", @@ -55361,8 +60822,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1616702107242971144", "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", + "https://twitter.com/malmoeb/status/1616702107242971144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ @@ -55372,31 +60833,10 @@ "uuid": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "value": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" }, - { - "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", - "meta": { - "author": "frack113", - "creation_date": "2022/12/23", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "proc_creation_win_frombase64string_archive.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml" - ], - "tags": "No established tags" - }, - "uuid": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", - "value": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" - }, { "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", "meta": { - "author": "Markus Neis", + "author": "Markus Neis, @Kostastsale", "creation_date": "2018/08/17", "falsepositive": [ "Unlikely" @@ -55407,6 +60847,7 @@ "logsource.product": "windows", "refs": [ "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -55414,43 +60855,60 @@ "attack.t1562.001" ] }, - "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", - "value": "Powershell AMSI Bypass via .NET Reflection" - }, - { - "description": "Detects the use of RunXCmd tool for command execution", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/24", - "falsepositive": [ - "Legitimate use by administrators" - ], - "filename": "proc_creation_win_tool_runx_as_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.d7xtech.com/free-software/runx/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, "related": [ { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "93199800-b52a-4dec-b762-75212c196542", - "value": "RunXCmd Tool Execution As System" + "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "value": "Potential AMSI Bypass Via .NET Reflection" + }, + { + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Rare legitimate add to registry via cli (to these locations)" + ], + "filename": "proc_creation_win_reg_susp_paths.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "value": "Reg Add Suspicious Paths" }, { "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", @@ -55465,9 +60923,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", - "https://twitter.com/pabraeken/status/990758590020452353", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -55488,55 +60946,136 @@ "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, { - "description": "Detects command line parameters used by Koadic hack tool", + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", "meta": { - "author": "wagga, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2020/01/12", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/08/11", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_hack_koadic.yml", - "level": "high", + "filename": "proc_creation_win_exploit_other_systemnightmare.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" + "https://github.com/GossiTheDog/SystemNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_systemnightmare.yml" ], "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "attack.privilege_escalation", + "attack.t1068" ] }, "related": [ { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", - "value": "Koadic Execution" + "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "value": "Potential SystemNightmare Exploitation Attempt" + }, + { + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_folder_combos.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "value": "Schtasks From Suspicious Folders" + }, + { + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_schtasks_delete_all.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "value": "Delete All Scheduled Tasks" + }, + { + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "meta": { + "author": "frack113", + "creation_date": "2022/02/06", + "falsepositive": [ + "Legitimate commands in .lnk files" + ], + "filename": "proc_creation_win_susp_embed_exe_lnk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.x86matthew.com/view_post?id=embed_exe_lnk", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", + "value": "Hidden Powershell in Link File Pattern" }, { "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", @@ -55571,41 +61110,6 @@ "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "value": "Suspicious Where Execution" }, - { - "description": "Detects a suspicious curl process start on Windows with set useragent options", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "filename": "proc_creation_win_susp_curl_useragent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", - "https://curl.se/docs/manpage.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "related": [ - { - "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", - "value": "Suspicious Curl Change User Agents" - }, { "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", "meta": { @@ -55645,7 +61149,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", "falsepositive": [ - "Legitmate usage of the utility by administrators to query the event log" + "Legitimate usage of the utility by administrators to query the event log" ], "filename": "proc_creation_win_wevtutil_recon.yml", "level": "medium", @@ -55675,9 +61179,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -55685,7 +61189,7 @@ ] }, "uuid": "a20def93-0709-4eae-9bd2-31206e21e6b2", - "value": "DriverQuery.EXE Usage" + "value": "DriverQuery.EXE Execution" }, { "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", @@ -55701,8 +61205,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -55778,10 +61282,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/873181705024266241", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://twitter.com/vysecurity/status/974806438316072960", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/873181705024266241", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -55802,39 +61306,108 @@ "value": "Capture Credentials with Rpcping.exe" }, { - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/20", + "creation_date": "2022/06/28", "falsepositive": [ - "Command lines that use the same flags" + "Unknown" ], - "filename": "proc_creation_win_susp_renamed_createdump.yml", + "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", - "value": "Renamed CreateDump Process Dump" + "uuid": "99c840f2-2012-46fd-9141-c761987550ef", + "value": "Suspicious Download From Direct IP Via Bitsadmin" + }, + { + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/21", + "falsepositive": [ + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" + ], + "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "value": "PsExec Service Child Process Execution as LOCAL SYSTEM" + }, + { + "description": "Detects suspicious mshta process execution patterns", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mshta_susp_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/mshta.exe", + "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "value": "Suspicious Mshta.EXE Execution Patterns" }, { "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", @@ -55849,8 +61422,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -55879,72 +61452,73 @@ "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, { - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/13", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/24", "falsepositive": [ - "Some false positives may occure with other tools with similar commandlines" + "Legitimate use by administrators" ], - "filename": "proc_creation_win_chisel_usage.yml", + "filename": "proc_creation_win_pua_nircmd_as_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ] - }, - "related": [ - { - "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "value": "Chisel Tunneling Tool Usage" - }, - { - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/24", - "falsepositive": [ - "Legitimate use of the impacket tools" - ], - "filename": "proc_creation_win_impacket_compiled_tools.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ "attack.execution", - "attack.t1557.001" + "attack.t1569.002", + "attack.s0029" ] }, "related": [ { - "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "value": "Impacket Tool Execution" + "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "value": "PUA - NirCmd Execution As LOCAL SYSTEM" + }, + { + "description": "Uninstall an application with wmic", + "meta": { + "author": "frac113", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_uninstall_application.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "value": "Application Removed Via Wmic.EXE" }, { "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", @@ -55967,8 +61541,17 @@ "attack.t1574.011" ] }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", - "value": "Service ImagePath Change with Reg.exe" + "value": "Changing Existing Service ImagePath Value Via Reg.EXE" }, { "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", @@ -55992,6 +61575,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", "value": "Suspicious VBoxDrvInst.exe Parameters" }, @@ -56028,6 +61620,39 @@ "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", "value": "Suspicious ConfigSecurityPolicy Execution" }, + { + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "value": "Audit Policy Tampering Via NT Resource Kit Auditpol" + }, { "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "meta": { @@ -56041,8 +61666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" ], "tags": [ @@ -56071,32 +61696,6 @@ "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "value": "Process Access via TrolleyExpress Exclusion" }, - { - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "meta": { - "author": "ok @securonix invrep-de, oscd.community, frack113", - "creation_date": "2020/10/12", - "falsepositive": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." - ], - "filename": "proc_creation_win_disable_defender_av_security_monitoring.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", - "value": "Disable Windows Defender AV Security Monitoring" - }, { "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", "meta": { @@ -56132,106 +61731,82 @@ "value": "Bypass UAC via Fodhelper.exe" }, { - "description": "Detects the use of NPS a port forwarding tool", + "description": "Detects a file or folder's permissions being modified or tampered with.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/10/08", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/23", "falsepositive": [ - "Legitimate use" + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" ], - "filename": "proc_creation_win_nps.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/ehang-io/nps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "related": [ - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", - "value": "NPS Tunneling Tool" - }, - { - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/02/04", - "falsepositive": [ - "Very unlikely" - ], - "filename": "proc_creation_win_hack_dumpert.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", - "value": "Dumpert Process Dumper" - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_rundll.yml", + "filename": "proc_creation_win_susp_file_permission_modifications.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1222.001" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER" + "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "value": "File or Folder Permissions Modifications" + }, + { + "description": "Execute C# code located in the consoleapp folder", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate use of dnx.exe by legitimate user" + ], + "filename": "proc_creation_win_lolbin_dnx.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "value": "Application Whitelisting Bypass via Dnx.exe" }, { "description": "Detects possible payload obfuscation via the commandline", @@ -56323,6 +61898,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -56406,102 +61988,18 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "value": "Turla Group Commands May 2020" }, - { - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/05/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_webclient_casing.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "value": "Net WebClient Casing Anomalies" - }, - { - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_rundll32_sys.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "value": "Suspicious Rundll32 Activity Invoking Sys File" - }, - { - "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_clip.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", - "value": "Use of CLIP" - }, { "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", "meta": { @@ -56539,7 +62037,7 @@ { "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", "falsepositive": [ "Administrative activity" @@ -56570,7 +62068,7 @@ "value": "Add User to Local Administrators" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) viq CommandLine", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", "meta": { "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "creation_date": "2019/10/24", @@ -56582,8 +62080,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], @@ -56604,6 +62102,41 @@ "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "value": "Usage Of Web Request Commands And Cmdlets" }, + { + "description": "Detects a command used by conti to dump database", + "meta": { + "author": "frack113", + "creation_date": "2021/08/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_database_dump.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "value": "Potential Conti Ransomware Database Dumping Activity" + }, { "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", "meta": { @@ -56651,9 +62184,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", - "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -56670,10 +62203,53 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "value": "Emotet Process Creation" + "value": "Potential Emotet Activity" + }, + { + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_curl_susp_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "value": "Suspicious Curl.EXE Download" }, { "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", @@ -56732,6 +62308,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -56744,28 +62327,80 @@ "value": "Invoke-Obfuscation STDIN+ Launcher" }, { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "description": "Detects user accept agreement execution in psexec commandline", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/05", + "author": "omkar72", + "creation_date": "2020/10/30", "falsepositive": [ - "Legitimate PowerShell scripts" + "Administrative scripts." ], - "filename": "proc_creation_win_tamper_defender_remove_mppreference.yml", - "level": "high", + "filename": "proc_creation_win_sysinternals_psexec_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.execution", + "attack.t1569", + "attack.t1021" ] }, - "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "value": "Tamper Windows Defender Remove-MpPreference" + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", + "value": "Psexec Execution" + }, + { + "description": "Detects a specific command used by the Conti ransomware group", + "meta": { + "author": "frack113", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_conti_ransomware_commands.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_commands.yml" + ], + "tags": [ + "attack.impact", + "attack.s0575", + "attack.t1486" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", + "value": "Potential Conti Ransomware Activity" }, { "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", @@ -56780,8 +62415,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], @@ -56811,6 +62446,47 @@ "uuid": "25676e10-2121-446e-80a4-71ff8506af47", "value": "Exchange PowerShell Snap-Ins Usage" }, + { + "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ] + }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", + "value": "Potential Persistence Attempt Via Existing Service Tampering" + }, { "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", "meta": { @@ -56846,39 +62522,47 @@ "value": "UAC Bypass Using DismHost" }, { - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "description": "Detects suspicious Plink tunnel port forwarding to a local port", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/12/27", + "creation_date": "2021/01/19", "falsepositive": [ - "Unknown" + "Administrative activity using a remote port forwarding to a local port" ], - "filename": "proc_creation_win_hack_htran.yml", + "filename": "proc_creation_win_plink_port_forwarding.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HiwinCN/HTran", - "https://github.com/cw1997/NATBypass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_htran.yml" + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" ], "tags": [ "attack.command_and_control", - "attack.t1090", - "attack.s0040" + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" ] }, "related": [ { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", - "value": "Htran or NATBypass Markers" + "uuid": "48a61b29-389f-4032-b317-b30de6b95314", + "value": "Suspicious Plink Port Forwarding" }, { "description": "Detects the rare use of the command line tool shutdown to logoff a user", @@ -56893,8 +62577,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ @@ -56949,6 +62633,42 @@ "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", "value": "Verclsid.exe Runs COM Object" }, + { + "description": "Detects various anomalies in relation to regsvr32.exe", + "meta": { + "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regsvr32_anomalies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ] + }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "value": "Regsvr32 Anomaly" + }, { "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", "meta": { @@ -56962,8 +62682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" ], "tags": [ @@ -56971,162 +62691,18 @@ "attack.t1546.008" ] }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9b61244-893f-427c-b287-3e708f321c6b", "value": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" }, - { - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/01/16", - "falsepositive": [ - "High" - ], - "filename": "proc_creation_win_susp_cmd_http_appdata.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", - "value": "Command Line Execution with Suspicious URL and AppData Strings" - }, - { - "description": "Detects Possible Squirrel Packages Manager as Lolbin", - "meta": { - "author": "Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/11/12", - "falsepositive": [ - "1Clipboard", - "Beaker Browser", - "Caret", - "Collectie", - "Discord", - "Figma", - "Flow", - "Ghost", - "GitHub Desktop", - "GitKraken", - "Hyper", - "Insomnia", - "JIBO", - "Kap", - "Kitematic", - "Now Desktop", - "Postman", - "PostmanCanary", - "Rambox", - "Simplenote", - "Skype", - "Slack", - "SourceTree", - "Stride", - "Svgsus", - "WebTorrent", - "WhatsApp", - "WordPress.com", - "Atom", - "Gitkraken", - "Slack", - "Teams" - ], - "filename": "proc_creation_win_susp_squirrel_lolbin.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", - "value": "Squirrel Lolbin" - }, - { - "description": "Detects DarkSide Ransomware and helpers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/14", - "falsepositive": [ - "Unknown", - "UAC bypass method used by other malware" - ], - "filename": "proc_creation_win_mal_darkside_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", - "value": "DarkSide Ransomware Pattern" - }, { "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", "meta": { @@ -57149,7 +62725,43 @@ "value": "Execution of Powershell Script in Public Folder" }, { - "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "meta": { + "author": "Ecco, E.M. Anhaus, oscd.community", + "creation_date": "2019/09/26", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_fsutil_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "add64136-62e5-48ea-807e-88638d02df1e", + "value": "Fsutil Suspicious Invocation" + }, + { + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", @@ -57205,6 +62817,49 @@ "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", "value": "Execute Pcwrun.EXE To Leverage Follina" }, + { + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "meta": { + "author": "blueteamer8699", + "creation_date": "2022/01/03", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_lolbin_gather_network_info.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ] + }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "value": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" + }, { "description": "Detects the execution of CSharp interactive console by PowerShell", "meta": { @@ -57239,72 +62894,38 @@ "value": "Suspicious Use of CSharp Interactive Console" }, { - "description": "Allow Incoming Connections by Port or Application on Windows Firewall", + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", "meta": { - "author": "Markus Neis, Sander Wiebing", - "creation_date": "2019/01/29", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/06", "falsepositive": [ - "Legitimate administration" + "System administrator usage" ], - "filename": "proc_creation_win_netsh_fw_add.yml", - "level": "medium", + "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562.004" + "attack.impact", + "attack.t1485" ] }, "related": [ { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", - "value": "Netsh Port or Application Allowed" - }, - { - "description": "Detects suspicious process related to rundll32 based on arguments", - "meta": { - "author": "frack113, Zaw Min Htun (ZETA)", - "creation_date": "2021/12/04", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_rundll32_script_run.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "value": "Suspicious Rundll32 Script in CommandLine" + "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", + "value": "Renamed Sysinternals Sdelete Execution" }, { "description": "Detects a Windows program executable started from a suspicious folder", @@ -57328,6 +62949,15 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "value": "System File Execution Location Anomaly" }, @@ -57364,6 +62994,44 @@ "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", "value": "Suspicious Recon Activity Using Findstr Keywords" }, + { + "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "creation_date": "2023/02/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certutil_decode.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", + "value": "File Decoded From Base64/Hex Via Certutil.EXE" + }, { "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", "meta": { @@ -57377,10 +63045,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/antonioCoco/RogueWinRM", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -57413,11 +63081,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.joesandbox.com/analysis/443736/0/html", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -57451,8 +63119,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -57475,9 +63143,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", - "https://redcanary.com/threat-detection-report/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/threat-detection-report/", + "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -57498,33 +63166,63 @@ "value": "CobaltStrike Load by Rundll32" }, { - "description": "Detects suspicious ways to download files or content using PowerShell", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/28", "falsepositive": [ - "Scripts or tools that download files" + "Unknown" ], - "filename": "proc_creation_win_susp_powershell_download_cradles.yml", - "level": "medium", + "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution" + ] }, - "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", - "value": "PowerShell Web Download" + "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "value": "Potential Raspberry Robin Dot Ending File" }, { - "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\" or \"netsh\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "meta": { + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/23", + "falsepositive": [ + "Legitimate use of the library for administrative activity" + ], + "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" + ] + }, + "uuid": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "value": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" + }, + { + "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", "meta": { "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/10/21", "falsepositive": [ - "Legitimate adminstration activity to troubleshoot network issues" + "Legitimate administration activity to troubleshoot network issues" ], "filename": "proc_creation_win_network_sniffing.yml", "level": "medium", @@ -57540,41 +63238,17 @@ "attack.t1040" ] }, - "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", - "value": "Potential Network Sniffing Activity Using Network Tools" - }, - { - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "meta": { - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", - "creation_date": "2020/03/20", - "falsepositive": [ - "Other scripts" - ], - "filename": "proc_creation_win_susp_powershell_parent_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", - "value": "Suspicious PowerShell Parent Process" + "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "value": "Potential Network Sniffing Activity Using Network Tools" }, { "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", @@ -57590,9 +63264,9 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ @@ -57613,31 +63287,7 @@ "value": "PPID Spoofing Tool Usage" }, { - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_advancedrun_priv_user.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" - ], - "tags": "No established tags" - }, - "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", - "value": "Suspicious AdvancedRun Runas Priv User" - }, - { - "description": "Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.\nDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.\nDNS zones used to host the DNS records for a particular domain\n", + "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", "meta": { "author": "@gott_cyber", "creation_date": "2022/07/31", @@ -57660,8 +63310,17 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "value": "Discovery/Execution via dnscmd.exe" + "value": "Potential Discovery Activity Via Dnscmd.EXE" }, { "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", @@ -57709,8 +63368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -57740,39 +63399,80 @@ "value": "Suspicious Cmdl32 Execution" }, { - "description": "Commandline to launch powershell with a base64 payload", + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", "meta": { - "author": "frack113", - "creation_date": "2022/01/02", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/22", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_powershell_encode.yml", - "level": "medium", + "filename": "proc_creation_win_pua_csexec.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/malcomvetter/CSExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ + "attack.resource_development", + "attack.t1587.001", "attack.execution", - "attack.t1059.001" + "attack.t1569.002" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", - "value": "Suspicious Execution of Powershell with Base64" + "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "value": "PUA - CsExec Execution" + }, + { + "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_redirect_to_stream.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect_to_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", + "value": "Cmd Stream Redirection" }, { "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", @@ -57817,6 +63517,73 @@ "uuid": "2267fe65-0681-42ad-9a6d-46553d3f3480", "value": "WSL Child Process Anomaly" }, + { + "description": "Detects SILENTTRINITY stager use via PE metadata", + "meta": { + "author": "Aleksey Potapov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_silenttrinity_stager.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", + "value": "HackTool - SILENTTRINITY Stager Execution" + }, + { + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_recon_computersystem.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "value": "Computer System Reconnaissance Via Wmic.EXE" + }, { "description": "Atbroker executing non-deafualt Assistive Technology applications", "meta": { @@ -57830,8 +63597,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -57875,6 +63642,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -57899,9 +63673,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/fireeye/DueDLLigence", - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57922,90 +63696,37 @@ "value": "DLL Execution via Rasautou.exe" }, { - "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", "meta": { "author": "frack113", - "creation_date": "2022/02/06", + "creation_date": "2021/12/20", "falsepositive": [ - "Legitimate commands in .lnk files" + "Unknown" ], - "filename": "proc_creation_win_embed_exe_lnk.yml", + "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.x86matthew.com/view_post?id=embed_exe_lnk", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.credential_access", + "attack.t1552.002" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", - "value": "Hidden Powershell in Link File Pattern" - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_sharpview.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" - ] - }, - "related": [ - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", - "value": "Suspicious Execution of SharpView" + "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "value": "Enumeration for Credentials in Registry" }, { "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", @@ -58020,9 +63741,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ @@ -58067,83 +63788,6 @@ "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", "value": "Shells Spawned by Java" }, - { - "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", - "meta": { - "author": "pH-T (Nextron Systems), Florian Roth", - "creation_date": "2022/04/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_schtasks_powershell_windowsapps_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b66474aa-bd92-4333-a16c-298155b120df", - "value": "Suspicious Powershell No File or Command" - }, - { - "description": "Detects persitence via netsh helper", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_netsh_dll_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/software/S0108/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.007", - "attack.s0108" - ] - }, - "related": [ - { - "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "56321594-9087-49d9-bf10-524fe8479452", - "value": "Suspicious Netsh DLL Persistence" - }, { "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", "meta": { @@ -58157,8 +63801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://www.echotrail.io/insights/search/msbuild.exe", + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" ], "tags": [ @@ -58169,104 +63813,41 @@ "value": "Suspicious Msbuild Execution By Uncommon Parent Process" }, { - "description": "Detection well-known mimikatz command line arguments", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "filename": "proc_creation_win_mimikatz_command_line.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", - "value": "Mimikatz Command Line" - }, - { - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "description": "Detects the creation of scheduled tasks in user session", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/06", + "creation_date": "2019/01/16", "falsepositive": [ - "System administrator usage" + "Administrative activity", + "Software installation" ], - "filename": "proc_creation_win_renamed_sdelete.yml", - "level": "high", + "filename": "proc_creation_win_schtasks_creation.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml" ], "tags": [ - "attack.impact", - "attack.t1485" + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001" ] }, "related": [ { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "value": "Renamed Sysinternals Sdelete Usage" + "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", + "value": "Scheduled Task Creation" }, { "description": "Detects a code page switch in command line or batch scripts to a rare language", @@ -58290,6 +63871,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", "value": "Suspicious Code Page Switch" }, @@ -58306,10 +63896,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -58330,25 +63920,41 @@ "value": "Potential Data Stealing Via Chromium Headless Debugging" }, { - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/24", + "creation_date": "2018/08/13", "falsepositive": [ - "Legitimate scripts that use IEX" + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" ], - "filename": "proc_creation_win_susp_powershell_iex_patterns.yml", - "level": "high", + "filename": "proc_creation_win_whoami_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] }, - "uuid": "09576804-7a05-458e-a817-eb718ca91f54", - "value": "Suspicious PowerShell IEX Execution Patterns" + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "value": "Whoami Utility Execution" }, { "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", @@ -58381,93 +63987,7 @@ } ], "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "value": "NTLM Coercion Via Certutil.exe" - }, - { - "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/01", - "falsepositive": [ - "Administrators settings a service to disable via script or cli for testing purposes" - ], - "filename": "proc_creation_win_disable_service.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_service.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "value": "Sc Or Set-Service Cmdlet Execution to Disable Services" - }, - { - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "meta": { - "author": "Teymur Kheirkhabarov", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "value": "Possible Privilege Escalation via Weak Service Permissions" - }, - { - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "meta": { - "author": "FPT.EagleEye", - "creation_date": "2020/12/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_emotet_rundll32_execution.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", - "https://cyber.wtf/2021/11/15/guess-whos-back/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", - "value": "Emotet RunDLL32 Process Creation" + "value": "Potential NTLM Coercion Via Certutil.EXE" }, { "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", @@ -58490,6 +64010,15 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", "value": "ScreenConnect Remote Access" }, @@ -58506,7 +64035,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], @@ -58528,63 +64057,97 @@ "value": "Sdclt Child Processes" }, { - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_susp_psexesvc_renamed.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "value": "Renamed PsExec Service Execution" - }, - { - "description": "Detects a suspicious process pattern found in CVE-2021-40444 exploitation", - "meta": { - "author": "@neonprimetime, Florian Roth", - "creation_date": "2021/09/08", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_control_cve_2021_40444.yml", - "level": "high", + "filename": "proc_creation_win_wsl_windows_binaries_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/476188/1/iochtml", - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml" ], "tags": [ "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1202" ] }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", - "value": "CVE-2021-40444 Process Pattern" + "uuid": "ed825c86-c009-4014-b413-b76003e33d35", + "value": "Windows Binary Executed From WSL" + }, + { + "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", + "meta": { + "author": "Markus Neis, Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "value": "Potential SquiblyTwo Technique Execution" }, { "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", @@ -58599,8 +64162,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -58644,43 +64207,50 @@ "attack.t1021.005" ] }, - "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", - "value": "Suspicious UltraVNC Execution" - }, - { - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_certoc_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", - "value": "Suspicious Load DLL via CertOC.exe" + "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", + "value": "Suspicious UltraVNC Execution" + }, + { + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "value": "Suspicious Invoke-WebRequest Usage" }, { "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", @@ -58722,15 +64292,15 @@ "author": "frack113", "creation_date": "2022/05/07", "falsepositive": [ - "Unknown" + "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], "filename": "proc_creation_win_lolbin_ie4uinit.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -58751,63 +64321,76 @@ "value": "Ie4uinit Lolbin Use From Invalid Path" }, { - "description": "Detects UAC bypass method using Windows event viewer", + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/03/19", + "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", + "creation_date": "2021/07/14", "falsepositive": [ - "Unknown" + "Unknown", + "Other security solution installers" ], - "filename": "proc_creation_win_sysmon_uac_bypass_eventvwr.yml", + "filename": "proc_creation_win_reg_disable_sec_services.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", - "value": "UAC Bypass via Event Viewer" + "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", + "value": "Reg Disable Security Service" }, { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/04", + "author": "Cian Heasley", + "creation_date": "2020/08/13", "falsepositive": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + "Legitimate uses of Mouse Lock software" ], - "filename": "proc_creation_win_wusa_susp_cab_extraction.yml", + "filename": "proc_creation_win_pua_mouselock_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" + "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ - "attack.execution" + "attack.credential_access", + "attack.collection", + "attack.t1056.002" ] }, - "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", - "value": "Wusa Extracting Cab Files" + "related": [ + { + "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "value": "PUA - Mouse Lock Execution" }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", @@ -58833,6 +64416,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -58866,6 +64456,15 @@ "attack.t1012" ] }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", "value": "Exports Registry Key To a File" }, @@ -58941,68 +64540,17 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", - "value": "Exploit for CVE-2017-0261" - }, - { - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "meta": { - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", - "creation_date": "2019/01/12", - "falsepositive": [ - "Exclude legitimate logon scripts" - ], - "filename": "proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" - ], - "tags": [ - "attack.t1037.001", - "attack.persistence" - ] - }, - "related": [ + }, { - "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", - "value": "Logon Scripts (UserInitMprLogonScript)" - }, - { - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/29", - "falsepositive": [ - "Legitimate usage of the features listed in the rule." - ], - "filename": "proc_creation_win_enable_susp_windows_optional_feature.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", - "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" + "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "value": "Exploit for CVE-2017-0261" }, { "description": "Detects wmiprvse spawning processes", @@ -59017,7 +64565,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html", + "https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" ], "tags": [ @@ -59038,38 +64586,72 @@ "value": "WmiPrvSE Spawned A Process" }, { - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/23", + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", "falsepositive": [ - "Other legitimate network providers used and not filtred in this rule" + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" ], - "filename": "proc_creation_win_new_network_provider.yml", - "level": "high", + "filename": "proc_creation_win_wmic_xsl_script_processing.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.defense_evasion", + "attack.t1220" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", - "value": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" + "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "value": "XSL Script Processing" + }, + { + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regsvr32_remote_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "value": "Suspicious Regsvr32 Execution From Remote Share" }, { "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", @@ -59084,8 +64666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -59106,67 +64688,43 @@ "value": "CobaltStrike Process Patterns" }, { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", - "creation_date": "2020/10/12", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/17", "falsepositive": [ - "Unknown" + "Rare intended use of hidden services" ], - "filename": "proc_creation_win_proxy_execution_wuauclt.yml", + "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.privilege_escalation", + "attack.t1574.011" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", - "value": "Proxy Execution via Wuauclt" + "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service" }, { - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "meta": { - "author": "Vasiliy Burov", - "creation_date": "2020/10/05", - "falsepositive": [ - "Software that uses the caret encased keywords PASS and USER in its command line" - ], - "filename": "proc_creation_win_hack_hydra.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/vanhauser-thc/thc-hydra", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" - ] - }, - "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", - "value": "Hydra Password Guessing Hack Tool" - }, - { - "description": "Execution of a renamed version of the Plink binary", + "description": "Detects the execution of a renamed version of the Plink binary", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/06", @@ -59187,42 +64745,111 @@ "attack.t1036" ] }, - "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", - "value": "Execution Of Renamed Plink Binary" - }, - { - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "meta": { - "author": "Christian Burkard (Nextron Systems)", - "creation_date": "2021/08/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_tools_uac_bypass_computerdefaults.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, "related": [ { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", - "value": "UAC Bypass Tools Using ComputerDefaults" + "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "value": "Renamed Plink Execution" + }, + { + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/10/08", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_pua_nps.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ehang-io/nps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", + "value": "PUA - NPS Tunneling Tool Execution" + }, + { + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_encoded_obfusc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "value": "Suspicious Obfuscated PowerShell Code" + }, + { + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sc_sdset_hide_sevices.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "related": [ + { + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "value": "Service DACL Abuse To Hide Services Via Sc.EXE" }, { "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", @@ -59237,8 +64864,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", + "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" ], "tags": [ @@ -59246,6 +64873,15 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", "value": "Exploit for CVE-2015-1641" }, @@ -59263,8 +64899,8 @@ "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -59273,11 +64909,20 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "value": "Execution from Suspicious Folder" }, { - "description": "Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics", + "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", "meta": { "author": "Alexander McDonald", "creation_date": "2022/06/24", @@ -59289,8 +64934,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -59298,43 +64943,50 @@ "attack.t1055" ] }, - "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", - "value": "Msra.exe Process Injection" - }, - { - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "meta": { - "author": "Sreeman", - "creation_date": "2020/10/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_monitoring_for_persistence_via_bits.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1197" - ] - }, "related": [ { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", - "value": "Monitoring For Persistence Via BITS" + "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", + "value": "Potential Process Injection Via Msra.EXE" + }, + { + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "meta": { + "author": "elhoim, CD_ROM_", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_spawn_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "value": "RunDLL32 Spawning Explorer" }, { "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", @@ -59358,9 +65010,54 @@ "attack.g0044" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", "value": "Winnti Pipemon Characteristics" }, + { + "description": "Detects suspicious powershell command line parameters used in Empire", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/04/20", + "falsepositive": [ + "Other tools that incidentally use the same command line parameters" + ], + "filename": "proc_creation_win_hktl_empire_powershell_launch.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", + "value": "HackTool - Empire PowerShell Launch Parameters" + }, { "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", "meta": { @@ -59395,7 +65092,42 @@ "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_lolbin_dotnet.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://twitter.com/_felamos/status/1204705548668555264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", + "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" + }, + { + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", @@ -59417,40 +65149,6 @@ "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location" }, - { - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/01/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_rdp_hijack_shadowing.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", - "https://twitter.com/kmkz_security/status/1220694202301976576", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1563.002" - ] - }, - "related": [ - { - "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "value": "MSTSC Shadowing" - }, { "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", "meta": { @@ -59473,6 +65171,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62510e69-616b-4078-b371-847da438cc03", "value": "Share And Session Enumeration Using Net.EXE" }, @@ -59489,9 +65196,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/apt-slingshot/84312/", "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://twitter.com/cyb3rops/status/972186477512839170", + "https://securelist.com/apt-slingshot/84312/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -59513,67 +65220,25 @@ "value": "Equation Group DLL_U Load" }, { - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "description": "Detects inline execution of PowerShell code from a file", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2022/10/10", + "author": "frack113", + "creation_date": "2022/12/25", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_susp_pchunter.yml", - "level": "high", + "filename": "proc_creation_win_powershell_exec_data_file.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.xuetr.com/", - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml" ], "tags": "No established tags" }, - "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "value": "PCHunter Usage" - }, - { - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/14", - "falsepositive": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" - ], - "filename": "proc_creation_win_susp_ngrok_pua.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://ngrok.com/docs", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ] - }, - "related": [ - { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "value": "Ngrok Usage" + "uuid": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", + "value": "Powershell Inline Execution From A File" }, { "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", @@ -59619,44 +65284,87 @@ "attack.t1027" ] }, - "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "value": "Suspicious CLSID Folder Name In Suspicious Locations" - }, - { - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "meta": { - "author": "TropChaud", - "creation_date": "2023/01/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_rhadamanthys_dll_launch.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/anfam17/status/1607477672057208835", - "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", - "https://www.joesandbox.com/analysis/790122/0/html", - "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rhadamanthys_dll_launch.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", - "value": "Rhadamanthys Stealer Module Launch via Rundll32" + "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", + "value": "Suspicious CLSID Folder Name In Suspicious Locations" + }, + { + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/14", + "falsepositive": [ + "Rare legitimate installation of kernel drivers via sc.exe" + ], + "filename": "proc_creation_win_sc_new_kernel_driver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "value": "New Kernel Driver Via SC.EXE" + }, + { + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "meta": { + "author": "frack113", + "creation_date": "2022/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_gpresult_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ] + }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", + "value": "Gpresult Display Group Policy Information" }, { "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", @@ -59671,10 +65379,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -59695,39 +65403,39 @@ "value": "Use of FSharp Interpreters" }, { - "description": "Detects file execution using the msdeploy.exe lolbin", + "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2020/10/18", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2023/02/14", "falsepositive": [ - "System administrator Usage" + "Unknown" ], - "filename": "proc_creation_win_msdeploy.yml", + "filename": "proc_creation_win_wmic_recon_csproduct.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/999090532839313408", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", - "https://twitter.com/pabraeken/status/995837734379032576", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" + "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", + "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ "attack.execution", - "attack.t1218" + "attack.t1047", + "car.2016-03-002" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", - "value": "Execute Files with Msdeploy.exe" + "uuid": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", + "value": "Hardware Model Reconnaissance Via Wmic.EXE" }, { "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", @@ -59761,65 +65469,7 @@ } ], "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", - "value": "Suspicious Command With Teams Objects Pathes" - }, - { - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_dll_sideload_defender.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", - "value": "DLL Sideloading by Microsoft Defender" - }, - { - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_pypykatz.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", - "https://github.com/skelsec/pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "related": [ - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "value": "Registry Parse with Pypykatz" + "value": "Suspicious Command With Teams Objects Paths" }, { "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", @@ -59835,8 +65485,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -59859,9 +65509,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1564968845726580736", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -59890,6 +65540,103 @@ "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "value": "Suspicious Ldifde Command Usage" }, + { + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "meta": { + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2018/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_susp_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "438025f9-5856-4663-83f7-52f878a70a50", + "value": "Suspicious Microsoft Office Child Process" + }, + { + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/10/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" + ], + "filename": "proc_creation_win_rundll32_by_ordinal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "value": "Suspicious Call by Ordinal" + }, { "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "meta": { @@ -59942,9 +65689,43 @@ "value": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, { - "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_pua_wsudo_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/M2Team/Privexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "value": "PUA - Wsudo Suspicious Execution" + }, + { + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/10/13", "falsepositive": [ "System administrator Usage" @@ -59954,8 +65735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" @@ -59975,7 +65756,42 @@ } ], "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", - "value": "Accesschk Usage To Check Privileges" + "value": "Permission Check Via Accesschk.EXE" + }, + { + "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", + "meta": { + "author": "frack113", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regsvr32_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "value": "Suspicious Regsvr32 Execution With Image Extension" }, { "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", @@ -60010,6 +65826,43 @@ "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "value": "Use of TTDInject.exe" }, + { + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", + "meta": { + "author": "TropChaud", + "creation_date": "2023/01/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9d5a1274-922a-49d0-87f3-8c653483b909", + "value": "Potential System Information Discovery Via Wmic.EXE" + }, { "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", "meta": { @@ -60045,75 +65898,60 @@ "value": "Using AppVLP To Circumvent ASR File Path Rule" }, { - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "meta": { - "author": "Ilya Krestinichev", - "creation_date": "2022/11/03", - "falsepositive": [ - "False positive could occur in admin scripts that execute inline" - ], - "filename": "proc_creation_win_susp_ping_del.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "related": [ - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "value": "Suspicious Ping And Del Combination" - }, - { - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/03/11", + "creation_date": "2022/03/24", "falsepositive": [ - "Administrative activity", - "Software installation" + "Legitimate scripts that use IEX" ], - "filename": "proc_creation_win_susp_schtask_creation_temp_folder.yml", + "filename": "proc_creation_win_powershell_iex_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml" + ], + "tags": "No established tags" + }, + "uuid": "09576804-7a05-458e-a817-eb718ca91f54", + "value": "Suspicious PowerShell IEX Execution Patterns" + }, + { + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "meta": { + "author": "Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sc_sdset_deny_service_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ - "attack.execution", "attack.persistence", - "attack.t1053.005" + "attack.t1543.003" ] }, "related": [ { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", - "value": "Suspicious Scheduled Task Creation Involving Temp Folder" + "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "value": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", @@ -60136,93 +65974,18 @@ "attack.t1021" ] }, + "related": [ + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", "value": "Potential Remote Desktop Tunneling" }, - { - "description": "Detects suspicious msiexec process starts with web addresses as parameter", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/02/09", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_msiexec_web_install.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", - "value": "MsiExec Web Install" - }, - { - "description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", - "meta": { - "author": "blueteamer8699", - "creation_date": "2022/01/03", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_lolbin_cscript_gathernetworkinfo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" - ] - }, - "related": [ - { - "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", - "value": "GatherNetworkInfo.vbs Script Usage" - }, { "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", "meta": { @@ -60278,8 +66041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -60333,39 +66096,42 @@ "value": "Always Install Elevated MSI Spawned Cmd And Powershell" }, { - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2022/01/04", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/24", "falsepositive": [ - "Command lines that use the same flags" + "Legitimate files with these rare hacktool names" ], - "filename": "proc_creation_win_proc_dump_createdump.yml", - "level": "high", + "filename": "proc_creation_win_hktl_relay_attacks_tools.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://github.com/ohpe/juicy-potato", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://www.localpotato.com/", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution", + "attack.t1557.001" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "value": "CreateDump Process Dump" + "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", + "value": "Potential SMB Relay Attack Tool Execution" }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", @@ -60388,116 +66154,59 @@ "attack.t1562.001" ] }, - "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", - "value": "Delete SafeBoot Keys Via Reg Utility" - }, - { - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/29", - "falsepositive": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" - ], - "filename": "proc_creation_win_susp_powershell_sam_access.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/splinter_code/status/1420546784250769408", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, "related": [ { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1af57a4b-460a-4738-9034-db68b880c665", - "value": "PowerShell SAM Copy" + "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "value": "SafeBoot Registry Key Deleted Via Reg.EXE" }, { - "description": "Detects SILENTTRINITY stager use", + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", "meta": { - "author": "Aleksey Potapov, oscd.community", - "creation_date": "2019/10/22", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/28", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_silenttrinity_stage_use.yml", - "level": "high", + "filename": "proc_creation_win_sc_sdset_modification.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/0gtweet/status/1628720819537936386", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1071" + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" ] }, "related": [ { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", - "value": "SILENTTRINITY Stager Execution" + "uuid": "98c5aeef-32d5-492f-b174-64a691896d25", + "value": "Service Security Descriptor Tampering Via Sc.EXE" }, { - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/12/19", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_rubeus.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "value": "Rubeus Hack Tool" - }, - { - "description": "Detects QBot like process executions", + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/10/01", @@ -60509,8 +66218,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", "https://twitter.com/killamjr/status/1179034907932315648", + "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -60528,7 +66237,7 @@ } ], "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "value": "QBot Process Creation" + "value": "Potential QBot Activity" }, { "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", @@ -60573,80 +66282,274 @@ "value": "PrintBrm ZIP Creation of Extraction" }, { - "description": "Detects execution of Net.exe, whether suspicious or benign.", + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", "meta": { - "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", - "creation_date": "2019/01/16", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/01/28", "falsepositive": [ - "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + "Unknown yet" ], - "filename": "proc_creation_win_susp_net_execution.yml", - "level": "low", + "filename": "proc_creation_win_renamed_dctask64.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral_movement", - "attack.t1021.002", - "attack.s0039" + "attack.defense_evasion", + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ] }, "related": [ { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", - "value": "Net.exe Execution" + "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "value": "Renamed ZOHO Dctask64 Execution" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_malware_adwind.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "value": "Adwind RAT / JRAT" + }, + { + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "meta": { + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "creation_date": "2019/02/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_mshta_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "value": "MSHTA Suspicious Execution 01" + }, + { + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Authorized administrative activity" + ], + "filename": "proc_creation_win_adfind_enumeration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adfind_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "value": "Suspicious ActiveDirectory Enumeration Via AdFind.EXE" + }, + { + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/02/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_csc_susp_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1094924091256176641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "value": "Suspicious Parent of Csc.exe" + }, + { + "description": "Detect use of X509Enrollment", + "meta": { + "author": "frack113", + "creation_date": "2022/12/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "proc_creation_win_powershell_x509enrollment.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" + ], + "tags": "No established tags" + }, + "uuid": "114de787-4eb2-48cc-abdb-c0b449f93ea4", + "value": "Suspicious X509Enrollment - Process Creation" }, { "description": "Shadow Copies storage symbolic link creation using operating systems utilities", @@ -60690,7 +66593,7 @@ "value": "Shadow Copies Access via Symlink" }, { - "description": "Detects process creation with a renamed Msdt.exe", + "description": "Detects the execution of a renamed \"Msdt.exe\" binary", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022/06/03", @@ -60720,67 +66623,75 @@ } ], "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "value": "Renamed Msdt.exe" + "value": "Renamed Msdt.EXE Execution" }, { - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", + "author": "frack113", + "creation_date": "2022/01/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_mal_hermetic_wiper_activity.yml", - "level": "high", + "filename": "proc_creation_win_hktl_evil_winrm.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/Hackplayers/evil-winrm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ - "attack.execution", "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", - "value": "Hermetic Wiper TG Process Patterns" - }, - { - "description": "Detects the use of NSudo tool for command execution", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2022/01/24", - "falsepositive": [ - "Legitimate use by administrators" - ], - "filename": "proc_creation_win_tool_nsudo_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://nsudo.m2team.org/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.t1021.006" ] }, "related": [ { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", - "value": "NSudo Tool Execution" + "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "value": "HackTool - WinRM Access Via Evil-WinRM" + }, + { + "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_recon_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "221b251a-357a-49a9-920a-271802777cc0", + "value": "Process Reconnaissance Via Wmic.EXE" }, { "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", @@ -60815,42 +66726,6 @@ "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", "value": "UtilityFunctions.ps1 Proxy Dll" }, - { - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "meta": { - "author": "Konstantin Grishchenko, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" - ], - "filename": "proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", - "value": "Suspicious Rundll32 Setupapi.dll Activity" - }, { "description": "Identifies the creation of local users via the net.exe command.", "meta": { @@ -60865,8 +66740,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -60886,28 +66761,6 @@ "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "value": "New User Created Via Net.EXE" }, - { - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_dtrace_kernel_dump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" - ], - "tags": "No established tags" - }, - "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "value": "Suspicious Kernel Dump Using Dtrace" - }, { "description": "Detects a suspicious RDP session redirect using tscon.exe", "meta": { @@ -60939,6 +66792,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", @@ -60977,6 +66837,142 @@ "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "value": "Use of NetSupport Remote Access Software" }, + { + "description": "Commandline to launch powershell with a base64 payload", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_encode.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", + "value": "Suspicious Execution of Powershell with Base64" + }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" + }, + { + "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", + "falsepositive": [ + "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" + ], + "filename": "proc_creation_win_certutil_export_pfx.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", + "value": "Certificate Exported Via Certutil.EXE" + }, + { + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ea011323-7045-460b-b2d7-0f7442ea6b38", + "value": "Potential PsExec Remote Execution" + }, { "description": "Detects Hurricane Panda Activity", "meta": { @@ -61012,40 +67008,83 @@ "value": "Hurricane Panda Activity" }, { - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", "meta": { - "author": "pH-T (Nextron Systems)", - "creation_date": "2022/03/01", + "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", + "creation_date": "2022/10/21", "falsepositive": [ - "Unlikely" + "File located in the AppData folder with trusted signature" ], - "filename": "proc_creation_win_susp_base64_load.yml", + "filename": "proc_creation_win_office_onenote_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", + "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "value": "Suspicious Encoded Obfuscated LOAD String" + "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "value": "Suspicious Microsoft OneNote Child Process" + }, + { + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/08/24", + "falsepositive": [ + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + ], + "filename": "proc_creation_win_csc_susp_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "value": "Suspicious Csc.exe Source File Folder" }, { "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", @@ -61082,7 +67121,7 @@ "value": "Potential Credential Dumping Via WER" }, { - "description": "Detects execution of renamed ftp.exe binary based on OriginalFileName field", + "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020/10/09", @@ -61121,7 +67160,7 @@ } ], "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", - "value": "Renamed FTP.EXE Binary Execution" + "value": "Renamed FTP.EXE Execution" }, { "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", @@ -61189,7 +67228,7 @@ } ], "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "value": "Windows Crypto Mining Indicators" + "value": "Potential Crypto Mining Activity" }, { "description": "Detects Base64 encoded Shellcode", @@ -61212,9 +67251,62 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", "value": "PowerShell Base64 Encoded Shellcode" }, + { + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/10/30", + "falsepositive": [ + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" + ], + "filename": "proc_creation_win_sysinternals_procdump_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", + "value": "Potential LSASS Process Dump Via Procdump" + }, { "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", "meta": { @@ -61249,75 +67341,38 @@ "value": "JSC Convert Javascript To Executable" }, { - "description": "Detects various anomalies in relation to regsvr32.exe", + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", - "creation_date": "2019/01/16", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/05", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_susp_regsvr32_anomalies.yml", + "filename": "proc_creation_win_hktl_quarks_pwdump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" + "attack.credential_access", + "attack.t1003.002" ] }, "related": [ { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "value": "Regsvr32 Anomaly" - }, - { - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_disable.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "value": "Disable Important Scheduled Task" + "uuid": "0685b176-c816-4837-8e7b-1216f346636b", + "value": "HackTool - Quarks PwDump Execution" }, { "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", @@ -61353,6 +67408,55 @@ "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", "value": "Execute MSDT Via Answer File" }, + { + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "meta": { + "author": "Trent Liffick", + "creation_date": "2020/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_lnk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "value": "Findstr Launching .lnk File" + }, { "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "meta": { @@ -61483,8 +67587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -61505,28 +67609,38 @@ "value": "Suspicious ScreenSave Change by Reg.exe" }, { - "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", "meta": { - "author": "@SBousseaden (idea), Christian Burkard (Nextron Systems) (rule)", - "creation_date": "2022/06/02", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_office_dir_traversal_cli.yml", + "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1531653369546301440", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.impact", + "attack.t1490" ] }, - "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", - "value": "Office Directory Traversal CommandLine" + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "value": "Boot Configuration Tampering Via Bcdedit.EXE" }, { "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", @@ -61535,7 +67649,7 @@ "creation_date": "2022/09/28", "falsepositive": [ "Legitimate piping of the password to anydesk", - "Some FP could occure with similar tools that uses the same command line '--set-password'" + "Some FP could occur with similar tools that uses the same command line '--set-password'" ], "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", "level": "medium", @@ -61562,6 +67676,149 @@ "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", "value": "AnyDesk Piped Password Via CLI" }, + { + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Use of Program Compatibility Troubleshooter Helper" + ], + "filename": "proc_creation_win_lolbin_pcwutl.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", + "value": "Code Execution via Pcwutl.dll" + }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "value": "Import PowerShell Modules From Suspicious Directories - ProcCreation" + }, + { + "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/11", + "falsepositive": [ + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + ], + "filename": "proc_creation_win_browsers_msedge_minimized_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_msedge_minimized_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", + "value": "Suspicious Minimized MSEdge Start" + }, + { + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "value": "HackTool - CrackMapExec PowerShell Obfuscation" + }, { "description": "Detects suspicious process injection using ZOHO's dctask64.exe", "meta": { @@ -61575,9 +67832,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -61597,39 +67854,6 @@ "uuid": "6345b048-8441-43a7-9bed-541133633d7a", "value": "ZOHO Dctask64 Process Injection" }, - { - "description": "Detects the use of various cli utility related to web request exfiltrating data", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_exfil_data_via_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", - "value": "Possible Exfiltration Of Data Via CLI" - }, { "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "meta": { @@ -61651,50 +67875,17 @@ "attack.t1574.002" ] }, - "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", - "value": "Suspicious GUP Usage" - }, - { - "description": "Execute C# code located in the consoleapp folder", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", - "falsepositive": [ - "Legitimate use of dnx.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_dnx.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" - ] - }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", - "value": "Application Whitelisting Bypass via Dnx.exe" + "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", + "value": "Suspicious GUP Usage" }, { "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", @@ -61709,10 +67900,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -61733,23 +67924,79 @@ "value": "Use of VisualUiaVerifyNative.exe" }, { - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_netsh_fw_rules_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://ss64.com/nt/netsh.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "value": "Suspicious Firewall Configuration Discovery Via Netsh.EXE" + }, + { + "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/31", + "creation_date": "2022/04/27", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_hack_adcspwn.yml", + "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/bats3c/ADCSPwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" + ], + "tags": "No established tags" + }, + "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "value": "Suspicious Hacktool Execution - PE Metadata" + }, + { + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate use of the impacket tools" + ], + "filename": "proc_creation_win_hktl_impacket_tools.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml" ], "tags": [ - "attack.credential_access", + "attack.execution", "attack.t1557.001" ] }, @@ -61762,8 +68009,8 @@ "type": "related-to" } ], - "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "value": "ADCSPwn Hack Tool" + "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", + "value": "HackTool - Impacket Tools Execution" }, { "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", @@ -61826,10 +68073,10 @@ { "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", "meta": { - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T (Nextron Systems)", + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "creation_date": "2022/02/12", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_win_schtasks_reg_loader.yml", "level": "high", @@ -61865,42 +68112,6 @@ "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" }, - { - "description": "Detects a file or folder's permissions being modified or tampered with.", - "meta": { - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/10/23", - "falsepositive": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" - ], - "filename": "proc_creation_win_file_permission_modifications.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.001" - ] - }, - "related": [ - { - "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "value": "File or Folder Permissions Modifications" - }, { "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", "meta": { @@ -61937,29 +68148,68 @@ "value": "Suspicious Elevated System Shell" }, { - "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/05/08", + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2018/12/27", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_dns_serverlevelplugindll.yml", + "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml" + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/sensepost/ruler", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" + "attack.execution", + "attack.t1059", + "attack.t1202" ] }, - "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", - "value": "DNS ServerLevelPluginDll Install" + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", + "value": "Suspicious Remote Child Process From Outlook" + }, + { + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_blackbyte_ransomware.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_blackbyte_ransomware.yml" + ], + "tags": "No established tags" + }, + "uuid": "999e8307-a775-4d5f-addc-4855632335be", + "value": "Potential BlackByte Ransomware Activity" }, { "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", @@ -61967,15 +68217,15 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/26", "falsepositive": [ - "In development environment where VsCode is used heavily. False positives may occure when developers use task to compile or execute different types of code. Remove or add processes accordingly" + "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], "filename": "proc_creation_win_vscode_child_processes_anomalies.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -62004,6 +68254,40 @@ "uuid": "5a3164f2-b373-4152-93cf-090b13c12d27", "value": "VsCode Child Process Anomaly" }, + { + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Tools that use similar command line flags and values" + ], + "filename": "proc_creation_win_hktl_hashcat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.002" + ] + }, + "related": [ + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "value": "HackTool - Hashcat Password Cracker Execution" + }, { "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", "meta": { @@ -62017,8 +68301,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], @@ -62049,94 +68333,81 @@ "value": "Bypass UAC via CMSTP" }, { - "description": "Detects PsExec service execution via default service image name", + "description": "Detects the use of Advanced Port Scanner.", "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/12", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/18", "falsepositive": [ - "Unknown" + "Legitimate administrative use", + "Tools with similar commandline (very rare)" ], - "filename": "proc_creation_win_tool_psexec.yml", - "level": "low", + "filename": "proc_creation_win_pua_advanced_port_scanner.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml" ], "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.discovery", + "attack.t1046", + "attack.t1135" ] }, "related": [ { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", - "value": "PsExec Tool Execution" + "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "value": "PUA - Advanced Port Scanner Execution" }, { - "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", + "description": "Detects attackers attempting to disable Windows Defender using Powershell", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/04", + "author": "ok @securonix invrep-de, oscd.community, frack113", + "creation_date": "2020/10/12", "falsepositive": [ - "Legitimate use of one of these tools" + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], - "filename": "proc_creation_win_hacktool_imphashes.yml", + "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" - ], - "tags": "No established tags" - }, - "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "value": "Windows Hacktool Imphash" - }, - { - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/03/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cve_2021_26857_msexchange.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml" + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" + "attack.defense_evasion", + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "value": "CVE-2021-26857 Exchange Exploitation" + "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "value": "Disable Windows Defender AV Security Monitoring" }, { "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", @@ -62169,7 +68440,7 @@ } ], "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "value": "DefenderCheck Usage" + "value": "PUA - DefenderCheck Execution" }, { "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", @@ -62197,6 +68468,73 @@ "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", "value": "Suspicious Shells Spawn by Java Utility Keytool" }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_sharpview.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/tevora-threat/SharpView/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ] + }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "value": "HackTool - SharpView Execution" + }, { "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", "meta": { @@ -62218,68 +68556,17 @@ "attack.t1036.005" ] }, - "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", - "value": "Lazarus Session Highjacker" - }, - { - "description": "Detects multiple suspicious process in a limited timeframe", - "meta": { - "author": "juju4", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_multiple_susp_cli.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://car.mitre.org/wiki/CAR-2013-04-002", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml" - ], - "tags": [ - "car.2013-04-002", - "attack.execution", - "attack.t1059" - ] - }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", - "value": "Quick Execution of a Series of Suspicious Commands" - }, - { - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/11/10", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "filename": "proc_creation_win_computer_discovery_get_adcomputer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "435e10e4-992a-4281-96f3-38b11106adde", - "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" + "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "value": "Lazarus Session Highjacker" }, { "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", @@ -62295,8 +68582,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -62317,35 +68604,10 @@ "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", "value": "UAC Bypass WSReset" }, - { - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/14", - "falsepositive": [ - "Rare legitimate installation of kernel drivers via sc.exe" - ], - "filename": "proc_creation_win_susp_new_kernel_driver_via_sc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", - "value": "New Kernel Driver Via SC.EXE" - }, { "description": "Detects Ryuk ransomware activity", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/12/16", "falsepositive": [ "Unlikely" @@ -62356,6 +68618,7 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" ], "tags": [ @@ -62363,8 +68626,17 @@ "attack.t1547.001" ] }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", - "value": "Ryuk Ransomware" + "value": "Potential Ryuk Ransomware Activity" }, { "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", @@ -62400,55 +68672,38 @@ "value": "DeviceCredentialDeployment Execution" }, { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "description": "Detects the execution of WMIC to query information on a remote system", "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_office_spawning_wmi_commandline.yml", - "level": "high", + "filename": "proc_creation_win_wmic_remote_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", "attack.execution", - "attack.defense_evasion" + "attack.t1047" ] }, "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], - "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", - "value": "Office Applications Spawning Wmi Cli Alternate" + "uuid": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", + "value": "WMIC Remote Command Execution" }, { "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"\"...etc.", @@ -62480,47 +68735,203 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "1816994b-42e1-4fb1-afd2-134d88184f71", - "value": "PowerShell Base64 Encoded WMI Classes" - }, - { - "description": "Detects usage of the SysInternals Procdump utility", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/16", - "falsepositive": [ - "Legitimate use of procdump by a developer or administrator" - ], - "filename": "proc_creation_win_procdump.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "related": [ + }, { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", - "value": "Procdump Usage" + "uuid": "1816994b-42e1-4fb1-afd2-134d88184f71", + "value": "PowerShell Base64 Encoded WMI Classes" }, { - "description": "Identifies suspicious mshta.exe commands.", + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "meta": { + "author": "Nik Seetharaman, frack113", + "creation_date": "2019/01/16", + "falsepositive": [ + "Legitimate MWC use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_lolbin_workflow_compiler.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1127", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", + "value": "Microsoft Workflow Compiler Execution" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_net_network_connections_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "value": "System Network Connections Discovery Via Net.EXE" + }, + { + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "meta": { + "author": "frack113, Florian Roth (Nextron Systems)", + "creation_date": "2021/07/21", + "falsepositive": [ + "Legitimate ncat use" + ], + "filename": "proc_creation_win_pua_netcat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://www.revshells.com/", + "https://nmap.org/ncat/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ] + }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", + "value": "PUA - Netcat Suspicious Execution" + }, + { + "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certutil_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", + "value": "Suspicious Download Via Certutil.EXE" + }, + { + "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", + "meta": { + "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of the utilities by legitimate user for legitimate reason" + ], + "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", + "value": "Domain Trust Discovery Via Dsquery" + }, + { + "description": "Detects execution of javascript code using \"mshta.exe\".", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019/10/24", @@ -62532,8 +68943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -62551,7 +68962,7 @@ } ], "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", - "value": "Mshta JavaScript Execution" + "value": "Suspicious JavaScript Execution Via Mshta.EXE" }, { "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", @@ -62566,8 +68977,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -62588,37 +68999,71 @@ "value": "Ruby Inline Command Execution" }, { - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "description": "Execution of plink to perform data exfiltration and tunneling", "meta": { - "author": "frack113", - "creation_date": "2021/12/20", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/04", "falsepositive": [ - "Unknown" + "Administrative activity" ], - "filename": "proc_creation_win_susp_reg_open_command.yml", - "level": "medium", + "filename": "proc_creation_win_plink_susp_tunneling.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml" + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.command_and_control", + "attack.t1572" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", - "value": "Suspicious Reg Add Open Command" + "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "value": "Potential RDP Tunneling Via SSH Plink" + }, + { + "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/05", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_curl_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "value": "Curl.EXE Execution" }, { "description": "Detects suspicious file execution by wscript and cscript", @@ -62661,62 +69106,37 @@ "value": "WSF/JSE/JS/VBA/VBE File Execution" }, { - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/11", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/09", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_susp_csc.yml", + "filename": "proc_creation_win_schtasks_delete.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1094924091256176641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" + "attack.impact", + "attack.t1489" ] }, "related": [ { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "value": "Suspicious Parent of Csc.exe" + "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "value": "Delete Important Scheduled Task" }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", @@ -62742,6 +69162,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -62754,7 +69181,7 @@ "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, { - "description": "Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.", + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", "meta": { "author": "frack113", "creation_date": "2022/02/13", @@ -62775,8 +69202,17 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", - "value": "Registry Defender Exclusions" + "value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, { "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", @@ -62791,8 +69227,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" ], "tags": [ @@ -62800,6 +69236,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "value": "Sticky-Key Backdoor Copy Cmd.exe" }, @@ -62816,8 +69261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -62838,148 +69283,61 @@ "value": "EvilNum Golden Chickens Deployment via OCX Files" }, { - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/09", + "creation_date": "2022/08/04", "falsepositive": [ - "Unlikely" + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" ], - "filename": "proc_creation_win_susp_schtasks_delete.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", - "value": "Delete Important Scheduled Task" - }, - { - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2020/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "value": "CrackMapExec PowerShell Obfuscation" - }, - { - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "meta": { - "author": "Trent Liffick", - "creation_date": "2020/05/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_findstr_lnk.yml", + "filename": "proc_creation_win_wusa_cab_files_extraction.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" + "attack.execution" ] }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", - "value": "Findstr Launching .lnk File" + "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", + "value": "Wusa Extracting Cab Files" }, { - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", "meta": { - "author": "frack113", - "creation_date": "2021/12/13", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/10/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_delete_systemstatebackup.yml", + "filename": "proc_creation_win_wmic_susp_process_creation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.t1047" ] }, "related": [ { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", - "value": "Wbadmin Delete Systemstatebackup" + "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "value": "Suspicious Process Created Via Wmic.EXE" }, { "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", @@ -63029,11 +69387,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -63062,34 +69420,6 @@ "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clear or Configuration Change" }, - { - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2021/01/30", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_wmic_security_product_uninstall.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/cglyer/status/1355171195654709249", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_security_product_uninstall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "value": "Potential Tampering With Security Products Via WMIC" - }, { "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "meta": { @@ -63114,6 +69444,15 @@ "car.2014-11-008" ] }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "value": "Sticky Key Like Backdoor Usage" }, @@ -63163,8 +69502,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" ], "tags": [ @@ -63190,7 +69529,41 @@ } ], "uuid": "15619216-e993-4721-b590-4c520615a67d", - "value": "Meterpreter or Cobalt Strike Getsystem Service Start" + "value": "Potential Meterpreter/CobaltStrike Activity" + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" }, { "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", @@ -63225,6 +69598,39 @@ "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "value": "Suspicious Certreq Command to Download" }, + { + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "value": "Tamper Windows Defender Remove-MpPreference" + }, { "description": "Detects a windows service to be stopped", "meta": { @@ -63295,40 +69701,7 @@ } ], "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "value": "Process Creation with Renamed BrowserCore.exe" - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_network_listing_connections.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ] - }, - "related": [ - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", - "value": "Suspicious Listing of Network Connections" + "value": "Renamed BrowserCore.EXE Execution" }, { "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", @@ -63394,10 +69767,58 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", - "value": "Seatbelt PUA Tool" + "value": "PUA - Seatbelt Execution" + }, + { + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/24", + "falsepositive": [ + "Very unlikely" + ], + "filename": "proc_creation_win_hktl_inveigh.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "value": "HackTool - Inveigh Execution" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", @@ -63434,37 +69855,37 @@ "value": "UAC Bypass Abusing Winsat Path Parsing - Process" }, { - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "meta": { - "author": "frack113", - "creation_date": "2021/11/15", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/08", "falsepositive": [ - "Unlikely" + "Administrators or Power users may remove their shares via cmd line" ], - "filename": "proc_creation_win_susp_reg_bitlocker.yml", - "level": "high", + "filename": "proc_creation_win_net_share_unmount.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml" ], "tags": [ - "attack.impact", - "attack.t1486" + "attack.defense_evasion", + "attack.t1070.005" ] }, "related": [ { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", - "value": "Suspicious Reg Add BitLocker" + "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", + "value": "Unmount Share Via Net.EXE" }, { "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", @@ -63499,6 +69920,73 @@ "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", "value": "Launch-VsDevShell.PS1 Proxy Execution" }, + { + "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely (at.exe deprecated as of Windows 8)" + ], + "filename": "proc_creation_win_at_interactive_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ] + }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "value": "Interactive AT Job" + }, + { + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", + "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" + }, { "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", "meta": { @@ -63533,6 +70021,53 @@ "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "value": "Always Install Elevated Windows Installer" }, + { + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/06/28", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://isc.sans.edu/diary/22264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "value": "Suspicious Download From File-Sharing Website Via Bitsadmin" + }, { "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", "meta": { @@ -63547,9 +70082,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -63559,6 +70094,13 @@ ] }, "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -63583,8 +70125,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" ], "tags": [ @@ -63592,9 +70134,39 @@ "attack.t1123" ] }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", "value": "Audio Capture via SoundRecorder" }, + { + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "meta": { + "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", + "creation_date": "2022/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1481630810495139841?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml" + ], + "tags": "No established tags" + }, + "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "value": "Rundll32 Execution Without DLL File" + }, { "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", "meta": { @@ -63641,6 +70213,15 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", "value": "User Discovery And Export Via Get-ADUser Cmdlet" }, @@ -63666,6 +70247,13 @@ ] }, "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ @@ -63690,8 +70278,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], @@ -63712,6 +70300,39 @@ "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "value": "Microsoft IIS Service Account Password Dumped" }, + { + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/24", + "falsepositive": [ + "Scripts or tools that download files and execute them" + ], + "filename": "proc_creation_win_powershell_download_iex.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", + "value": "PowerShell Web Download and Execution" + }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { @@ -63747,28 +70368,38 @@ "value": "UAC Bypass Using MSConfig Token Modification - Process" }, { - "description": "Detects the execution of AdvancedRun utility", + "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/20", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_advancedrun.yml", + "filename": "proc_creation_win_wmic_recon_service.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1047" + ] }, - "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", - "value": "Suspicious AdvancedRun Execution" + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", + "value": "Service Reconnaissance Via Wmic.EXE" }, { "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", @@ -63793,9 +70424,51 @@ "attack.t1543.003" ] }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "value": "Suspicious New Service Creation" }, + { + "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_abnormal_commandline_size.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", + "value": "Unusually Long PowerShell CommandLine" + }, { "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "meta": { @@ -63830,7 +70503,31 @@ "value": "Script Interpreter Execution From Suspicious Folder" }, { - "description": "Detects the presenece of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "description": "Detects email exfiltration via powershell cmdlets", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_email_exfil.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "312d0384-401c-4b8b-abdf-685ffba9a332", + "value": "Email Exifiltration Via Powershell" + }, + { + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "creation_date": "2020/10/11", @@ -63842,8 +70539,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -63854,6 +70551,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -63865,40 +70569,6 @@ "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Potential PowerShell Obfuscation Via Reversed Commands" }, - { - "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_hh_chm_http.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ] - }, - "related": [ - { - "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", - "value": "HH.exe Remote CHM File Execution" - }, { "description": "Detects a command used by conti to exfiltrate NTDS", "meta": { @@ -63912,8 +70582,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -63933,39 +70603,6 @@ "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "value": "Conti NTDS Exfiltration Command" }, - { - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_firewall_disabled_via_powershell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "related": [ - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", - "value": "Windows Firewall Disabled via PowerShell" - }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { @@ -63990,6 +70627,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -64021,41 +70665,194 @@ "attack.t1036.005" ] }, - "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", - "value": "Suspicious Svchost Process" - }, - { - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "meta": { - "author": "Nasreddine Bencherchali @nas_bench", - "creation_date": "2021/12/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, "related": [ { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "value": "Suspicious NT Resource Kit Auditpol Usage" + "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "value": "Suspicious Svchost Process" + }, + { + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/02/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_gather_network_info_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ] + }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "07aa184a-870d-413d-893a-157f317f6f58", + "value": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" + }, + { + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "meta": { + "author": "Teymur Kheirkhabarov, Harish Segar", + "creation_date": "2020/03/20", + "falsepositive": [ + "Other scripts" + ], + "filename": "proc_creation_win_powershell_susp_parent_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", + "value": "Suspicious PowerShell Parent Process" + }, + { + "description": "Detects the execution of SecurityXploded Tools", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/12/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_secutyxploded.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "value": "HackTool - SecurityXploded Execution" + }, + { + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "meta": { + "author": "Sander Wiebing", + "creation_date": "2020/05/23", + "falsepositive": [ + "Legitimate administration activity" + ], + "filename": "proc_creation_win_netsh_fw_allow_rdp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "value": "RDP Connection Allowed Via Netsh.EXE" + }, + { + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/12/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_sysmoneop.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml" + ], + "tags": [ + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "value": "HackTool - SysmonEOP Execution" }, { "description": "Detects code execution via the Windows Update client (wuauclt)", @@ -64100,38 +70897,64 @@ "value": "Windows Update Client LOLBIN" }, { - "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/05", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/29", "falsepositive": [ - "Unlikely" + "Programs that use the same command line flags" ], - "filename": "proc_creation_win_sharp_chisel_usage.yml", + "filename": "proc_creation_win_hktl_sharpldapwhoami.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", - "https://github.com/shantanu561993/SharpChisel", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" + "https://github.com/bugch3ck/SharpLdapWhoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1090.001" + "attack.discovery", + "attack.t1033", + "car.2016-03-001" ] }, "related": [ { - "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "value": "SharpChisel Usage" + "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "value": "HackTool - SharpLdapWhoami Execution" + }, + { + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/08/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_mailboxexport_share.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "value": "Suspicious PowerShell Mailbox Export to Share" }, { "description": "Detects the import of the specified file to the registry with regedit.exe.", @@ -64156,63 +70979,17 @@ "attack.defense_evasion" ] }, - "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "value": "Imports Registry Key From a File" - }, - { - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "meta": { - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", - "creation_date": "2019/02/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_mshta_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" - ] - }, "related": [ { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "value": "MSHTA Suspicious Execution 01" + "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "value": "Imports Registry Key From a File" }, { "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", @@ -64256,57 +71033,17 @@ "attack.t1562.001" ] }, - "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", - "value": "Potential AMSI Bypass Using NULL Bits - ProcessCreation" - }, - { - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sharpup.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/SharpUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" - ] - }, "related": [ { - "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "value": "SharpUp PrivEsc Tool" + "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", + "value": "Potential AMSI Bypass Using NULL Bits - ProcessCreation" }, { "description": "Detects dump of credentials in VeeamBackup dbo", @@ -64340,40 +71077,7 @@ } ], "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "value": "VeeamBackup Database Credentials Dump" - }, - { - "description": "Uninstall an application with wmic", - "meta": { - "author": "frac113", - "creation_date": "2022/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_remove_application.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", - "value": "WMI Uninstall An Application" + "value": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" }, { "description": "The OpenWith.exe executes other binary", @@ -64388,8 +71092,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -64409,22 +71113,45 @@ "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "value": "OpenWith.exe Executes Specified Binary" }, + { + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/10/10", + "falsepositive": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "filename": "proc_creation_win_pua_process_hacker.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" + ], + "tags": "No established tags" + }, + "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", + "value": "PUA - Process Hacker / System Informer Execution" + }, { "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/01", "falsepositive": [ - "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "filename": "proc_creation_win_net_default_accounts_manipulation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -64442,7 +71169,7 @@ } ], "uuid": "5b768e71-86f2-4879-b448-81061cbae951", - "value": "Suspicious Manipulation Of Default Accounts" + "value": "Suspicious Manipulation Of Default Accounts Via Net.EXE" }, { "description": "load malicious registered COM objects", @@ -64457,8 +71184,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -64479,6 +71206,48 @@ "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", "value": "Rundll32 Registered COM Objects" }, + { + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/04/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" + ], + "tags": [ + "attack.t1211", + "attack.t1059", + "attack.defense_evasion", + "attack.persistence" + ] + }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "value": "Writing Of Malicious Files To The Fonts Folder" + }, { "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", "meta": { @@ -64538,7 +71307,7 @@ { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "meta": { - "author": "frack113, Nasreddine Bencherchali", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", "falsepositive": [ "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." @@ -64548,9 +71317,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -64571,42 +71340,7 @@ "value": "Use NTFS Short Name in Command Line" }, { - "description": "Detects PowerShell script execution via input stream redirect", - "meta": { - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", - "creation_date": "2020/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_powershell_script_from_input_stream.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", - "https://twitter.com/Moriarty_Meng/status/984380793383370752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", - "value": "Run PowerShell Script from Redirected Input Stream" - }, - { - "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/19", @@ -64626,7 +71360,7 @@ ] }, "uuid": "0afbd410-de03-4078-8491-f132303cb67d", - "value": "Execution of Renamed NetSupport RAT" + "value": "Renamed NetSupport RAT Execution" }, { "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", @@ -64707,54 +71441,71 @@ "value": "TA505 Dropper Load Pattern" }, { - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "description": "Detects the execution of msiexec.exe from an uncommon directory", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/26", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_krbrelayup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" - ] - }, - "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", - "value": "KrbRelayUp Hack Tool" - }, - { - "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).", - "meta": { - "author": "frack113", - "creation_date": "2021/12/16", + "creation_date": "2019/11/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_findstr_385201.yml", + "filename": "proc_creation_win_msiexec_masquerading.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml" + "https://twitter.com/200_okay_/status/1194765831911215104", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml" ], "tags": [ - "attack.discovery", - "attack.t1518.001" + "attack.defense_evasion", + "attack.t1036.005" ] }, - "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", - "value": "Suspicious Findstr 385201 Execution" + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "value": "Potential MsiExec Masquerading" + }, + { + "description": "Detects a suspicious process spawning from an Outlook process.", + "meta": { + "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", + "creation_date": "2022/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_outlook_susp_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", + "value": "Suspicious Outlook Child Process" }, { "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", @@ -64796,6 +71547,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "3711eee4-a808-4849-8a14-faf733da3612", @@ -64834,90 +71592,6 @@ "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "value": "Windows Cmd Delete File" }, - { - "description": "Identifies usage of hh.exe executing recently modified .chm files.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hh_chm.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ] - }, - "related": [ - { - "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", - "value": "HH.exe Execution" - }, - { - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/08/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ps_downloadfile.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "value": "PowerShell DownloadFile" - }, { "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", "meta": { @@ -64931,8 +71605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -64940,115 +71614,52 @@ "attack.t1562.001" ] }, - "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", - "value": "Stop Or Remove Antivirus Service" - }, - { - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "meta": { - "author": "Janantha Marasinghe", - "creation_date": "2022/11/18", - "falsepositive": [ - "Legitimate administrative use" - ], - "filename": "proc_creation_win_susp_secedit.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" - ], - "tags": [ - "attack.discovery", - "attack.persistence", - "attack.defense_evasion", - "attack.credential_access", - "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" - ] - }, "related": [ { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", - "value": "Potential Suspicious Activity Using SeCEdit" + "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", + "value": "Stop Or Remove Antivirus Service" + }, + { + "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "meta": { + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "creation_date": "2021/08/09", + "falsepositive": [ + "Some rare backup scenarios" + ], + "filename": "proc_creation_win_cmd_shadowcopy_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", + "value": "Copy from Volume Shadow Copy" }, { "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", @@ -65086,42 +71697,77 @@ "value": "Suspicious Msiexec Execute Arbitrary DLL" }, { - "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "description": "Detects RDP session hijacking by using MSTSC shadowing", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/06/18", + "creation_date": "2020/01/24", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_purplesharp_indicators.yml", - "level": "critical", + "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mvelazc0/PurpleSharp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml" + "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ - "attack.t1587", - "attack.resource_development" + "attack.lateral_movement", + "attack.t1563.002" ] }, "related": [ { - "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", - "value": "PurpleSharp Indicator" + "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "value": "Potential MSTSC Shadowing Activity" }, { - "description": "Detects one of the possible scenarios for disabling symantec endpoint protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", "meta": { - "author": "Ilya Krestinichev, Florian Roth", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/31", + "falsepositive": [ + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + ], + "filename": "proc_creation_win_schtasks_schedule_type_system.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "value": "Suspicious Schtasks Schedule Type With High Privileges" + }, + { + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "meta": { + "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "creation_date": "2022/09/13", "falsepositive": [ "Unknown" @@ -65131,9 +71777,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", - "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -65141,57 +71787,59 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a6713f6-3331-11ed-a261-0242ac120002", "value": "Taskkill Symantec Endpoint Protection" }, { - "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", + "description": "Detects suspicious encoded character syntax often used for defense evasion", "meta": { - "author": "@neu5ron", - "creation_date": "2019/02/07", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_bcdedit.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.persistence", - "attack.t1542.003" - ] - }, - "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", - "value": "Possible Ransomware or Unauthorized MBR Modifications" - }, - { - "description": "Detects Service Principal Name Enumeration used for Kerberoasting", - "meta": { - "author": "Markus Neis, keepwatch", - "creation_date": "2018/11/14", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/07/09", "falsepositive": [ - "Administrator Activity" + "Unknown" ], - "filename": "proc_creation_win_spn_enum.yml", - "level": "medium", + "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml" ], "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ] }, - "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "value": "Possible SPN Enumeration" + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "Potential PowerShell Obfuscation Via WCHAR" }, { "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", @@ -65215,34 +71863,18 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", "value": "Suspicious Execution of Sc to Delete AV Services" }, - { - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/21", - "falsepositive": [ - "File located in the AppData folder with trusted signature" - ], - "filename": "proc_creation_win_susp_microsoft_onenote_child_process.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" - ] - }, - "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", - "value": "Suspicious Microsoft OneNote Child Process" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -65276,39 +71908,6 @@ "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", "value": "AnyDesk Execution" }, - { - "description": "Detects Ryuk Ransomware command lines", - "meta": { - "author": "Vasiliy Burov", - "creation_date": "2019/08/06", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_mal_ryuk.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0acaad27-9f02-4136-a243-c357202edd74", - "value": "Ryuk Ransomware Command Line Activity" - }, { "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", "meta": { @@ -65322,8 +71921,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -65390,6 +71989,72 @@ "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", "value": "Wscript Shell Run In CommandLine" }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski (Nextron Systems)", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ] + }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", + "value": "MSExchange Transport Agent Installation" + }, + { + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "value": "Potential Data Exfiltration Activity Via CommandLine Tools" + }, { "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "meta": { @@ -65425,41 +72090,154 @@ "value": "Explorer NOUACCHECK Flag" }, { - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/10/30", + "author": "frack113", + "creation_date": "2021/12/11", "falsepositive": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" + "Administrator, hotline ask to user" ], - "filename": "proc_creation_win_susp_procdump_lsass.yml", - "level": "high", + "filename": "proc_creation_win_tasklist_basic_execution.yml", + "level": "informational", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" + "attack.discovery", + "attack.t1057" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", - "value": "Suspicious Use of Procdump on LSASS" + "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", + "value": "Suspicious Tasklist Discovery Command" + }, + { + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/26", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_krbrelayup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", + "value": "HackTool - KrbRelayUp Execution" + }, + { + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/27", + "falsepositive": [ + "Possible but rare" + ], + "filename": "proc_creation_win_rundll32_no_params.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cobaltstrike.com/help-opsec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", + "value": "Suspicious Rundll32 Without Any CommandLine Params" + }, + { + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysinternals_tools_masquerading.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "value": "Potential Binary Impersonating Sysinternals Tools" }, { "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", @@ -65476,11 +72254,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -65536,6 +72314,20 @@ ], "type": "related-to" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ @@ -65601,8 +72393,137 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "value": "Unusual Child Porcess of dns.exe" + "value": "Unusual Child Process of dns.exe" + }, + { + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "meta": { + "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_rdp_keys_tamper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", + "value": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" + }, + { + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "meta": { + "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/03/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_etw_trace_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://abuse.io/lockergoga.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "value": "Disable of ETW Trace" + }, + { + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "meta": { + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/05/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "value": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, { "description": "The psr.exe captures desktop screenshots and saves them on the local machine", @@ -65617,8 +72538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -65627,9 +72548,51 @@ "attack.t1113" ] }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", "value": "Psr.exe Capture Screenshots" }, + { + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/06/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_purplesharp_indicators.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/mvelazc0/PurpleSharp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml" + ], + "tags": [ + "attack.t1587", + "attack.resource_development" + ] + }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "value": "HackTool - PurpleSharp Execution" + }, { "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "meta": { @@ -65654,41 +72617,110 @@ "value": "DumpStack.log Defender Evasion" }, { - "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72", - "creation_date": "2019/10/24", + "author": "Michael Haag", + "creation_date": "2019/01/16", "falsepositive": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" + "Printer software / driver installations", + "HP software" ], - "filename": "proc_creation_win_trust_discovery.yml", - "level": "medium", + "filename": "proc_creation_win_mshta_susp_child_processes.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" + "https://www.trustedsec.com/july-2015/malicious-htas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml" ], "tags": [ - "attack.discovery", - "attack.t1482" + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" ] }, "related": [ { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", - "value": "Domain Trust Discovery" + "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "value": "Suspicious MSHTA Child Process" + }, + { + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/18", + "falsepositive": [ + "Legitimate administrative use (Should be investigated either way)" + ], + "filename": "proc_creation_win_pua_cleanwipe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "value": "PUA - CleanWipe Execution" + }, + { + "description": "Detects DarkSide Ransomware and helpers", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/14", + "falsepositive": [ + "Unknown", + "UAC bypass method used by other malware" + ], + "filename": "proc_creation_win_malware_darkside_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_darkside_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "value": "DarkSide Ransomware Pattern" }, { "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", @@ -65713,22 +72745,67 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", "value": "Ke3chang Registry Key Modifications" }, { - "description": "Detects capture a network trace via netsh.exe trace functionality", + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_sdclt.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", + "value": "Potential UAC Bypass Via Sdclt.EXE" + }, + { + "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", "meta": { "author": "Kutepov Anton, oscd.community", "creation_date": "2019/10/24", "falsepositive": [ - "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" + "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_packet_capture.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], @@ -65738,8 +72815,52 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", - "value": "Capture a Network Trace with netsh.exe" + "value": "New Network Trace Capture Started Via Netsh.EXE" + }, + { + "description": "Detects Archer malware invocation via rundll32", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_fireball.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", + "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "value": "Fireball Archer Install" }, { "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", @@ -65754,8 +72875,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -65784,6 +72905,53 @@ "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", "value": "GALLIUM Sha1 Artefacts" }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_invocation_specific.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "536e2947-3729-478c-9903-745aaffe60d2", + "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" + }, + { + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/29", + "falsepositive": [ + "Legitimate usage of the features listed in the rule." + ], + "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" + }, { "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "meta": { @@ -65827,42 +72995,6 @@ "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", "value": "Terminal Service Process Spawn" }, - { - "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2021/05/22", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" - ], - "filename": "proc_creation_win_susp_psexex_paexec_flags.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "207b0396-3689-42d9-8399-4222658efc99", - "value": "PsExec/PAExec Flags" - }, { "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "meta": { @@ -65876,8 +73008,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -65885,6 +73017,15 @@ "attack.t1566" ] }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", "value": "Phishing Pattern ISO in Archive" }, @@ -65902,8 +73043,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -65924,44 +73065,54 @@ "value": "Operator Bloopers Cobalt Strike Commands" }, { - "description": "Detects suspicious command lines used in Covenant luanchers", + "description": "Detect filter driver unloading activity via fltmc.exe", "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2020/06/04", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_covenant.yml", + "author": "Nasreddine Bencherchali", + "creation_date": "2023/02/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_fltmc_unload_driver.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_covenant.yml" + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" + "attack.t1070", + "attack.t1562", + "attack.t1562.002" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "value": "Covenant Launcher Indicators" + "uuid": "4931188c-178e-4ee7-a348-39e8a7a56821", + "value": "Filter Driver Unloaded Via Fltmc.EXE" }, { "description": "Detects usage of a base64 encoded \"IEX\" string in a process command line", @@ -65995,67 +73146,6 @@ "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", "value": "PowerShell Base64 Encoded IEX Keyword" }, - { - "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/02/11", - "falsepositive": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" - ], - "filename": "proc_creation_win_susp_disable_eventlog.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", - "https://ss64.com/nt/logman.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" - ] - }, - "related": [ - { - "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "value": "Disable or Delete Windows Eventlog" - }, - { - "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", - "meta": { - "author": "@Kostastsale", - "creation_date": "2022/11/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" - ] - }, - "uuid": "4f927692-68b5-4267-871b-073c45f4f6fe", - "value": "PowerShell AMSI Bypass Pattern" - }, { "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", "meta": { @@ -66069,9 +73159,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], @@ -66105,8 +73195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], @@ -66127,6 +73217,110 @@ "uuid": "9847f263-4a81-424f-970c-875dab15b79b", "value": "Suspicious TSCON Start as SYSTEM" }, + { + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_malicious_cmdlets.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://adsecurity.org/?p=2921", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "value": "Malicious PowerShell Commandlets - ProcessCreation" + }, { "description": "Extexport.exe loads dll and is execute from other folder the original path", "meta": { @@ -66174,8 +73368,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -66196,37 +73390,37 @@ "value": "Suspicious Msiexec Quiet Install" }, { - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", "meta": { - "author": "elhoim, CD_ROM_", - "creation_date": "2022/04/27", + "author": "frack113", + "creation_date": "2022/01/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_rundll32_spawn_explorer.yml", - "level": "high", + "filename": "proc_creation_win_python_adidnsdump.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.011" + "attack.discovery", + "attack.t1018" ] }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", - "value": "RunDLL32 Spawning Explorer" + "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", + "value": "PUA - Adidnsdump Execution" }, { "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", @@ -66241,8 +73435,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -66251,60 +73445,18 @@ "car.2016-03-001" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "value": "Renamed Whoami Execution" }, - { - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "meta": { - "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/23", - "falsepositive": [ - "Legitimate use of the library for administrative activity" - ], - "filename": "proc_creation_win_aadinternals_cmdlets_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Gerenios/AADInternals", - "https://o365blog.com/aadinternals/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential_access", - "attack.impact" - ] - }, - "uuid": "c86500e9-a645-4680-98d7-f882c70c1ea3", - "value": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" - }, - { - "description": "Detect use of X509Enrollment", - "meta": { - "author": "frack113", - "creation_date": "2022/12/23", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "proc_creation_win_x509enrollment.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" - ], - "tags": "No established tags" - }, - "uuid": "114de787-4eb2-48cc-abdb-c0b449f93ea4", - "value": "Suspicious X509Enrollment - Process Creation" - }, { "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", "meta": { @@ -66371,6 +73523,13 @@ ] }, "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ @@ -66383,67 +73542,64 @@ "value": "Rundll32 UNC Path Execution" }, { - "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", - "creation_date": "2019/09/12", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/23", "falsepositive": [ - "Legitimate programs executing PowerShell scripts" + "Software installers that run from temporary folders and also install scheduled tasks" ], - "filename": "proc_creation_win_non_interactive_powershell.yml", - "level": "low", + "filename": "proc_creation_win_schtasks_parent.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml" + "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml" ], "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1053.005" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f4bbd493-b796-416e-bbf2-121235348529", - "value": "Non Interactive PowerShell Process Spawned" + "uuid": "9494479d-d994-40bf-a8b1-eea890237021", + "value": "Suspicious Add Scheduled Task Parent" }, { - "description": "Detects execution of renamed paexec via imphash and executable product string", + "description": "Detects the use of SharpUp, a tool for local privilege escalation", "meta": { - "author": "Jason Lynch", - "creation_date": "2019/04/17", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/20", "falsepositive": [ - "Unknown imphashes" + "Unknown" ], - "filename": "proc_creation_win_renamed_paexec.yml", - "level": "medium", + "filename": "proc_creation_win_hktl_sharpup.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" + "https://github.com/GhostPack/SharpUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.g0046", - "car.2013-05-009", - "attack.execution", - "attack.t1569.002" + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" ] }, "related": [ { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -66455,105 +73611,53 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", - "value": "Execution of Renamed PaExec" - }, - { - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "meta": { - "author": "sam0x90", - "creation_date": "2021/08/06", - "falsepositive": [ - "To be determined" - ], - "filename": "proc_creation_win_susp_esentutl_params.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/software/S0404/", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://twitter.com/vxunderground/status/1423336151860002816", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" }, { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", - "value": "Esentutl Gather Credentials" + "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "value": "HackTool - SharpUp PrivEsc Tool Execution" }, { - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "description": "Detects execution of renamed version of PAExec. Often used by attackers", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/01/28", + "author": "Florian Roth (Nextron Systems), Jason Lynch", + "creation_date": "2021/05/22", "falsepositive": [ - "Unknown yet" + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], - "filename": "proc_creation_win_susp_renamed_dctask64.yml", + "filename": "proc_creation_win_renamed_paexec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" + "https://www.poweradmin.com/paexec/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" + "attack.t1202" ] }, "related": [ - { - "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], - "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "value": "Renamed ZOHO Dctask64" + "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "value": "Renamed PAExec Execution" }, { "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", @@ -66622,87 +73726,6 @@ "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", "value": "Use of OpenConsole" }, - { - "description": "Detects the execution GMER tool based on image and hash fields.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_gmer_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.gmer.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gmer_execution.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "value": "GMER - Rootkit Detector and Remover Execution" - }, - { - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_rundll32_inline_vbs.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ] - }, - "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", - "value": "Suspicious Rundll32 Invoking Inline VBScript" - }, - { - "description": "An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_reconnaissance.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "221b251a-357a-49a9-920a-271802777cc0", - "value": "WMI Process Reconnaissance" - }, { "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", "meta": { @@ -66716,8 +73739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://www.echotrail.io/insights/search/ilasm.exe", + "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" ], "tags": [ @@ -66737,39 +73760,6 @@ "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "value": "Ilasm Lolbin Use Compile C-Sharp" }, - { - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_git_clone.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1593.003" - ] - }, - "related": [ - { - "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", - "value": "Suspicious Git Clone" - }, { "description": "Detects shell32.dll executing a DLL in a suspicious directory", "meta": { @@ -66804,6 +73794,40 @@ "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", "value": "Shell32 DLL Execution in Suspicious Directory" }, + { + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/11", + "falsepositive": [ + "FQDNs that start with a number" + ], + "filename": "proc_creation_win_regsvr32_http_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "value": "Suspicious Regsvr32 HTTP IP Pattern" + }, { "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", "meta": { @@ -66837,6 +73861,73 @@ "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", "value": "Suspicious MsiExec Embedding Parent" }, + { + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_krbrelay.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/cube0x0/KrbRelay", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "value": "HackTool - KrbRelay Execution" + }, + { + "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", + "meta": { + "author": "pH-T (Nextron Systems)", + "creation_date": "2022/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "value": "Suspicious File Execution From Internet Hosted WebDav Share" + }, { "description": "Detects a suspicious child process of userinit", "meta": { @@ -66858,31 +73949,83 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", "value": "Suspicious Userinit Child Process" }, { - "description": "Detects RDP Session Hijacking on Windows systems", + "description": "Detects the usage of \"hh.exe\" executing recently modified .chm files.", "meta": { - "author": "@juju4", - "creation_date": "2022/12/27", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "creation_date": "2019/10/24", "falsepositive": [ - "Administrative activity" + "Unlikely" ], - "filename": "proc_creation_win_rdp_session_hijacking.yml", + "filename": "proc_creation_win_hh_chm_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "value": "HH.EXE Execution" + }, + { + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/04/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hxtsr_masquerading.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moti_B/status/909449115477659651", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_session_hijacking.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml" ], "tags": [ - "attack.execution" + "attack.defense_evasion", + "attack.t1036" ] }, - "uuid": "224f140f-3553-4cd1-af78-13d81bf9f7cc", - "value": "Potential RDP Session Hijacking Activity" + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4e762605-34a8-406d-b72e-c1a089313320", + "value": "Fake Instance Of Hxtsr.exe" }, { "description": "Detects suspicious SSH tunnel port forwarding to a local port", @@ -66902,9 +74045,10 @@ ], "tags": [ "attack.command_and_control", - "attack.t1572", "attack.lateral_movement", - "attack.t1021.001" + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" ] }, "related": [ @@ -66914,138 +74058,75 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "value": "Port Forwarding Attempt Via SSH" }, { - "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/01/19", + "author": "Florian Roth (Nextron Systems), @neonprimetime", + "creation_date": "2021/09/08", "falsepositive": [ - "Administrative activity using a remote port forwarding to a local port" + "Unknown" ], - "filename": "proc_creation_win_susp_plink_port_forward.yml", + "filename": "proc_creation_win_exploit_cve_2021_40444.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" + "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "48a61b29-389f-4032-b317-b30de6b95314", - "value": "Suspicious Plink Port Forwarding" + "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", + "value": "Potential CVE-2021-40444 Exploitation Attempt" }, { - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "meta": { - "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", - "creation_date": "2021/07/14", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/05/24", "falsepositive": [ - "Unknown", - "Other security solution installers" + "Unknown" ], - "filename": "proc_creation_win_susp_reg_disable_sec_services.yml", + "filename": "proc_creation_win_powershell_webclient_casing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://vms.drweb.fr/virus/?i=24144899", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", - "value": "Reg Disable Security Service" - }, - { - "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", - "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/02/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_certutil_encode.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "value": "Certutil Encode" - }, - { - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_mshtml_runhtmlapplication.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/n1nj4sec/status/1421190238081277959", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "value": "Mshtml DLL RunHTMLApplication Abuse" - }, - { - "description": "Detects Too long PowerShell command lines", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_long_powershell_commandline.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml" ], "tags": [ "attack.execution", @@ -67061,8 +74142,111 @@ "type": "related-to" } ], - "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", - "value": "Too Long PowerShell Commandlines" + "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "value": "Net WebClient Casing Anomalies" + }, + { + "description": "Detects suspicious process run from unusual locations", + "meta": { + "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_rundll32_run_locations.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-05-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "value": "Suspicious Process Start Locations" + }, + { + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/13", + "falsepositive": [ + "Some false positives may occur with other tools with similar commandlines" + ], + "filename": "proc_creation_win_pua_chisel.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ] + }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "value": "PUA - Chisel Tunneling Tool Execution" + }, + { + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/08/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "value": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, { "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", @@ -67097,6 +74281,43 @@ "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", "value": "Remote File Download via Desktopimgdownldr Utility" }, + { + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "meta": { + "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_manage_bde.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", + "value": "Potential Manage-bde.wsf Abuse To Proxy Execution" + }, { "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", "meta": { @@ -67121,35 +74342,150 @@ "value": "Execution of Suspicious File Type Extension" }, { - "description": "Detects Credential Acquisition via Registry Hive Dumping", + "description": "Detects execution of Net.exe, whether suspicious or benign.", "meta": { - "author": "Tim Rauch", - "creation_date": "2022/10/04", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_credential_acquisition_registry_hive_dumping.yml", - "level": "high", + "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + ], + "filename": "proc_creation_win_net_susp_execution.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" + "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral_movement", + "attack.t1021.002", + "attack.s0039" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", - "value": "Credential Acquisition via Registry Hive Dumping" + "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", + "value": "Net.exe Execution" + }, + { + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mofcomp_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", + "value": "Suspicious Mofcomp Execution" }, { "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", @@ -67184,125 +74520,6 @@ "uuid": "43103702-5886-11ed-9b6a-0242ac120002", "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, - { - "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", - "meta": { - "author": "Markus Neis, Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bypass_squiblytwo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1047", - "attack.t1220", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", - "value": "SquiblyTwo Execution" - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_automated_collection.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" - ] - }, - "related": [ - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", - "value": "Automated Collection Command Prompt" - }, - { - "description": "Detect use of DirLister.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_dirlister.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", - "value": "Launch DirLister Executable" - }, { "description": "Use of the commandline to shutdown or reboot windows", "meta": { @@ -67357,6 +74574,15 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "value": "Execution in Outlook Temp Folder" }, @@ -67445,27 +74671,6 @@ "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, - { - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "meta": { - "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", - "creation_date": "2022/01/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_executable_invalid_extension.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1481630810495139841?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml" - ], - "tags": "No established tags" - }, - "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "value": "Rundll32 Execution Without DLL File" - }, { "description": "Detects use of chcp to look up the system locale value as part of host discovery", "meta": { @@ -67479,8 +74684,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -67551,12 +74756,155 @@ "value": "RedMimicry Winnti Playbook Execution" }, { - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "meta": { + "author": "TropChaud", + "creation_date": "2023/01/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", + "https://www.joesandbox.com/analysis/790122/0/html", + "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", + "https://twitter.com/anfam17/status/1607477672057208835", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", + "value": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" + }, + { + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/11", + "falsepositive": [ + "Cases in which procdump just gets copied to a different directory without any renaming" + ], + "filename": "proc_creation_win_sysinternals_procdump_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1480785527901204481", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", + "value": "Potential Procdump Evasion" + }, + { + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "meta": { + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_run_script_from_ads.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "value": "Run PowerShell Script from ADS" + }, + { + "description": "Adversaries may abuse Visual Basic (VB) for execution", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cscript_vbs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cscript_vbs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", + "value": "Visual Basic Script Execution" + }, + { + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "meta": { "author": "frack113", "creation_date": "2022/01/09", "falsepositive": [ - "Legitimate administration" + "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", "level": "medium", @@ -67597,10 +74945,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -67608,11 +74956,20 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "value": "Explorer Process Tree Break" }, { - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th postiional argument", + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "creation_date": "2022/12/24", @@ -67625,9 +74982,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -67647,41 +75004,6 @@ "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "value": "Suspicious AgentExecutor PowerShell Execution" }, - { - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", - "Static format arguments - https://petri.com/command-line-wmi-part-3" - ], - "filename": "proc_creation_win_xsl_script_processing.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1220" - ] - }, - "related": [ - { - "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", - "value": "XSL Script Processing" - }, { "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "meta": { @@ -67758,7 +75080,7 @@ "value": "WmiPrvSE Spawned PowerShell" }, { - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/27", @@ -67840,6 +75162,81 @@ "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "value": "Suspicious WindowsTerminal Child Processes" }, + { + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/12/20", + "falsepositive": [ + "Other programs that use these command line option and accepts an 'All' parameter" + ], + "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "value": "HackTool - Bloodhound/Sharphound Execution" + }, { "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", "meta": { @@ -67886,12 +75283,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/zcgonvh/NTDSDumpEx", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], @@ -67912,41 +75309,6 @@ "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, - { - "description": "Detects a command used by conti to dump database", - "meta": { - "author": "frack113", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_conti_sqlcmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ] - }, - "related": [ - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", - "value": "Conti Backup Database" - }, { "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", "meta": { @@ -67960,13 +75322,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://www.cobaltstrike.com/help-opsec", "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -68019,30 +75381,6 @@ "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", "value": "BlueMashroom DLL Load" }, - { - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_crackmapexec_flags.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" - ], - "tags": "No established tags" - }, - "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "value": "CrackMapExec Command Line Flags" - }, { "description": "Detects use of redirection character \">\" to redicrect information in commandline", "meta": { @@ -68064,41 +75402,58 @@ "attack.t1082" ] }, - "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "value": "Redirect Output in CommandLine" - }, - { - "description": "Adversaries may abuse Visual Basic (VB) for execution", - "meta": { - "author": "frack113", - "creation_date": "2022/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cscript_vbs.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ] - }, "related": [ { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", - "value": "Cscript Visual Basic Script Execution" + "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "value": "Redirect Output in CommandLine" + }, + { + "description": "Detects usage of the SysInternals Procdump utility", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/08/16", + "falsepositive": [ + "Legitimate use of procdump by a developer or administrator" + ], + "filename": "proc_creation_win_sysinternals_procdump.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "value": "Procdump Execution" }, { "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", @@ -68166,38 +75521,37 @@ "value": "PowerShell Download Pattern" }, { - "description": "Detects the execution of SecurityXploded Tools", + "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/12/19", + "author": "frack113", + "creation_date": "2021/12/12", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_hack_secutyxploded.yml", - "level": "critical", + "filename": "proc_creation_win_wmic_recon_group.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", - "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml" ], "tags": [ - "attack.credential_access", - "attack.t1555" + "attack.discovery", + "attack.t1069.001" ] }, "related": [ { - "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "value": "SecurityXploded Tool" + "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", + "value": "Local Groups Reconnaissance Via Wmic.EXE" }, { "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", @@ -68213,9 +75567,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -68227,38 +75581,37 @@ "value": "Weak or Abused Passwords In CLI" }, { - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/12/04", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/10", "falsepositive": [ - "Unlikely" + "Administrative activity" ], - "filename": "proc_creation_win_hack_sysmoneop.yml", - "level": "critical", + "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml" + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml" ], "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" + "attack.discovery", + "attack.t1087.001" ] }, "related": [ { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "value": "SysmonEOP Hack Tool" + "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, { "description": "Detects python spawning a pretty tty", @@ -68328,37 +75681,29 @@ "value": "Replace.exe Usage" }, { - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", "meta": { - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "creation_date": "2020/10/08", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/13", "falsepositive": [ - "Administrators or Power users may remove their shares via cmd line" + "Legitimate usage of office automation via scripting" ], - "filename": "proc_creation_win_susp_mounted_share_deletion.yml", - "level": "low", + "filename": "proc_creation_win_office_svchost_parent.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml" + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", + "https://github.com/med0x2e/vba2clr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1070.005" + "attack.execution", + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", - "value": "Mounted Share Deleted" + "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "value": "Suspicious New Instance Of An Office COM Object" }, { "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", @@ -68410,9 +75755,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -68420,9 +75765,53 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", "value": "Powershell Base64 Encoded MpPreference Cmdlet" }, + { + "description": "Detects the creation of a new service using powershell.", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2023/02/20", + "falsepositive": [ + "Legitimate administrator or user creates a service for legitimate reasons.", + "Software installation" + ], + "filename": "proc_creation_win_powershell_create_service.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", + "value": "New Service Creation Using PowerShell" + }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { @@ -68447,6 +75836,13 @@ ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -68527,30 +75923,72 @@ "value": "Lazarus Loaders" }, { - "description": "Detects the execution of a AdFind for enumeration based on it's commadline flags", + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", "meta": { - "author": "frack113", - "creation_date": "2021/12/13", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/21", "falsepositive": [ - "Administrative activity" + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], - "filename": "proc_creation_win_susp_adfind_enumeration.yml", + "filename": "proc_creation_win_schtasks_env_folder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.execution", + "attack.t1053.005" ] }, - "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "value": "Suspicious AdFind Enumeration" + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "81325ce1-be01-4250-944f-b4789644556f", + "value": "Suspicious Schtasks From Env Var Folder" + }, + { + "description": "Detects the use of SDelete to erase a file not the free space", + "meta": { + "author": "frack113", + "creation_date": "2021/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysinternals_sdelete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a4824fca-976f-4964-b334-0621379e84c4", + "value": "Potential File Overwrite Via Sysinternals SDelete" }, { "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", @@ -68609,174 +76047,70 @@ "value": "Script Event Consumer Spawning Process" }, { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", "meta": { - "author": "frack113", - "creation_date": "2021/12/12", + "author": "Markus Neis", + "creation_date": "2018/06/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_wmic_group_recon.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "related": [ - { - "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", - "value": "Suspicious Get Local Groups Information with WMIC" - }, - { - "description": "An adversary might use WMI to execute commands on a remote system", - "meta": { - "author": "frack113", - "creation_date": "2022/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_remote_command.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", - "value": "WMI Remote Command Execution" - }, - { - "description": "Detect the use of Jlaive to execute assemblies in a copied PowerShell", - "meta": { - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", - "creation_date": "2022/05/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_jlaive_batch_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", - "https://github.com/ch2sh/Jlaive", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", - "value": "Jlaive Usage For Assembly Execution In-Memory" - }, - { - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" - ], - "filename": "proc_creation_win_mstsc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "value": "Remote Desktop Protocol Use Mstsc" - }, - { - "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_csexec.yml", + "filename": "proc_creation_win_mshta_lethalhta_technique.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://github.com/malcomvetter/CSExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml" ], "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1218.005" ] }, "related": [ { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", - "value": "CsExec Remote Execution Tool Usage" + "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "value": "Potential LethalHTA Technique Execution" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_remote_access_tools_logmein.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", + "value": "Use of LogMeIn Remote Access Software" }, { "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", @@ -68801,8 +76135,17 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", - "value": "Modifies the Registry From a ADS" + "value": "Suspicious Registry Modification From ADS Via Regini.EXE" }, { "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", @@ -68869,71 +76212,7 @@ } ], "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", - "value": "Mshta Remotely Hosted HTA File Execution" - }, - { - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/12/20", - "falsepositive": [ - "Rare intended use of hidden services" - ], - "filename": "proc_creation_win_using_sc_to_hide_sevices.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "value": "Abuse of Service Permissions to Hide Services in Tools" - }, - { - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_enumeration_for_credentials_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.002" - ] - }, - "related": [ - { - "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", - "value": "Enumeration for 3rd Party Creds From CLI" + "value": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, { "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", @@ -68951,7 +76230,9 @@ "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion" + ] }, "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", "value": "Suspicious Characters in CommandLine" @@ -69023,46 +76304,27 @@ "value": "Suspicious Extrac32 Execution" }, { - "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", + "description": "Detects potential RDP Session Hijacking activity on Windows systems", "meta": { - "author": "Markus Neis", - "creation_date": "2018/12/27", + "author": "@juju4", + "creation_date": "2022/12/27", "falsepositive": [ - "Unknown" + "Administrative activity" ], - "filename": "proc_creation_win_susp_outlook.yml", - "level": "high", + "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" + "https://twitter.com/Moti_B/status/909449115477659651", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml" ], "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" + "attack.execution" ] }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", - "value": "Suspicious Execution from Outlook" + "uuid": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "value": "Potential RDP Session Hijacking Activity" }, { "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", @@ -69085,6 +76347,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "value": "Disabled IE Security Features" }, @@ -69112,87 +76383,27 @@ "value": "Nslookup PowerShell Download Cradle - ProcessCreation" }, { - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/02", + "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", + "creation_date": "2022/11/10", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_malicious_cmdlets.yml", + "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/samratashok/nishang", - "https://adsecurity.org/?p=2921", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/besimorhino/powercat", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" + "https://twitter.com/filip_dragovic/status/1590104354727436290", + "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" ], - "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" - ] + "tags": "No established tags" }, - "related": [ - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", - "value": "Malicious PowerShell Commandlets - ProcessCreation" + "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", + "value": "Suspicious Sysmon as Execution Parent" }, { "description": "Detects suspicious command line to remove and 'exe' or 'dll'", @@ -69227,69 +76438,6 @@ "uuid": "204b17ae-4007-471b-917b-b917b315c5db", "value": "Suspicious Del in CommandLine" }, - { - "description": "This command line patterns found in BlackByte Ransomware operations", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ransom_blackbyte.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" - ], - "tags": "No established tags" - }, - "uuid": "999e8307-a775-4d5f-addc-4855632335be", - "value": "BlackByte Ransomware Patterns" - }, - { - "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", - "meta": { - "author": "frack113", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_false_sysinternalsuite.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", - "value": "Potential Binary Impersonating Sysinternals Tools" - }, { "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "meta": { @@ -69332,11 +76480,20 @@ "attack.t1036" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "value": "Suspicious Calculator Usage" }, { - "description": "Detects the execution of a renamed office binaries", + "description": "Detects the execution of a renamed office binary", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/20", @@ -69358,66 +76515,6 @@ "uuid": "0b0cd537-fc77-4e6e-a973-e53495c1083d", "value": "Renamed Office Binary Execution" }, - { - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/31", - "falsepositive": [ - "Installation of unsigned packages for testing purposes" - ], - "filename": "proc_creation_win_install_unsigned_appx_packages.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", - "https://twitter.com/WindowsDocs/status/1620078135080325122", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion" - ] - }, - "uuid": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", - "value": "Unsigned AppX Installation Attempt Using Add-AppxPackage" - }, - { - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "meta": { - "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", - "creation_date": "2021/02/24", - "falsepositive": [ - "Admin activity (unclear what they do nowadays with finger.exe)" - ], - "filename": "proc_creation_win_susp_finger_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", - "value": "Finger.exe Suspicious Invocation" - }, { "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "meta": { @@ -69453,6 +76550,144 @@ "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", "value": "MpiExec Lolbin" }, + { + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/04/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/kagancapar/CVE-2022-29072", + "https://twitter.com/kagancapar/status/1515219358234161153", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_29072_7zip.yml" + ], + "tags": [ + "attack.execution", + "cve.2022.29072" + ] + }, + "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "value": "Potential CVE-2022-29072 Exploitation Attempt" + }, + { + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_office.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_office.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "value": "Suspicious File Download Using Office Application" + }, + { + "description": "Detects indicators of a UAC bypass method by mocking directories", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/08/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_trustedpath.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "value": "TrustedPath UAC Bypass Pattern" + }, + { + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "value": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" + }, { "description": "Detects usage of the \"systeminfo\" command to retrieve information", "meta": { @@ -69475,46 +76710,54 @@ "attack.t1082" ] }, - "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", - "value": "Suspicious Execution of Systeminfo" - }, - { - "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", - "meta": { - "author": "GossiTheDog (rule), frack113 (sigma version)", - "creation_date": "2022/06/09", - "falsepositive": [ - "Legitimate usage of \".diagcab\" files" - ], - "filename": "proc_creation_win_msdt_diagcab.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, "related": [ { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", - "value": "Execute MSDT.EXE Using Diagcab File" + "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "value": "Suspicious Execution of Systeminfo" }, { - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th postiional argument", + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/29", + "falsepositive": [ + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + ], + "filename": "proc_creation_win_powershell_sam_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/splinter_code/status/1420546784250769408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1af57a4b-460a-4738-9034-db68b880c665", + "value": "PowerShell SAM Copy" + }, + { + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "creation_date": "2022/12/24", @@ -69527,9 +76770,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -69549,41 +76792,6 @@ "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "value": "AgentExecutor PowerShell Execution" }, - { - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/22", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" - ], - "filename": "proc_creation_win_susp_renamed_paexec.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "value": "Renamed PAExec" - }, { "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", "meta": { @@ -69650,6 +76858,40 @@ "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, + { + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/11/18", + "falsepositive": [ + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" + ], + "filename": "proc_creation_win_renamed_sysinternals_procdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "value": "Renamed ProcDump Execution" + }, { "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", "meta": { @@ -69685,49 +76927,37 @@ "value": "Application Whitelisting Bypass via PresentationHost.exe" }, { - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/13", + "author": "frack113", + "creation_date": "2022/08/28", "falsepositive": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" + "Legitimate use of Nim on a developer systems" ], - "filename": "proc_creation_win_rpcss_anomalies.yml", + "filename": "proc_creation_win_pua_nimgrab.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://twitter.com/cyb3rops/status/1514217991034097664", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" + "attack.command_and_control", + "attack.t1105" ] }, "related": [ { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "value": "Remote Procedure Call Service Anomaly" + "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "value": "PUA - Nimgrab Execution" }, { "description": "Detects execution of of Dxcap.exe", @@ -69742,8 +76972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -69764,39 +76994,37 @@ "value": "Application Whitelisting Bypass via Dxcap.exe" }, { - "description": "Conti ransomware command line ioc", + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { - "author": "frack113", - "creation_date": "2021/10/12", + "author": "Bhabesh Raj", + "creation_date": "2022/08/01", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_conti_cmd_ransomware.yml", - "level": "critical", + "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml" ], "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" + "attack.defense_evasion", + "attack.t1574.002" ] }, "related": [ { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", - "value": "Conti Ransomware Execution" + "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "value": "DLL Sideloading by Microsoft Defender" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", @@ -69844,8 +77072,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -69855,6 +77083,13 @@ ] }, "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ @@ -69879,8 +77114,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -69888,9 +77123,52 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "value": "Xwizard DLL Sideloading" }, + { + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "meta": { + "author": "frack113", + "creation_date": "2023/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "28ac00d6-22d9-4a3c-927f-bbd770104573", + "value": "Disabled RestrictedAdminMode For RDS - ProcCreation" + }, { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", "meta": { @@ -69912,6 +77190,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "value": "Uninstall Crowdstrike Falcon" }, @@ -69937,50 +77224,17 @@ "attack.t1124" ] }, - "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", - "value": "Discovery of a System Time" - }, - { - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "meta": { - "author": "Sreeman, Nasreddine Bencherchali", - "creation_date": "2020/01/13", - "falsepositive": [ - "Administrative scripts (installers)" - ], - "filename": "proc_creation_win_susp_curl_start_combo.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ] - }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "value": "Curl Start Combination" + "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", + "value": "Discovery of a System Time" }, { "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", @@ -70015,79 +77269,6 @@ "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", "value": "Conhost Parent Process Executions" }, - { - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that doesnt exist. This non-existent DLL file is named \"ShellChromeAPI.dll\". \nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/08/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_deviceenroller_evasion.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", - "value": "DLL Sideloading via DeviceEnroller.exe" - }, - { - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2023/01/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_win_server_undocumented_rce.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/hackerfantastic/status/1616455335203438592?s=20", - "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_win_server_undocumented_rce.yml" - ], - "tags": "No established tags" - }, - "uuid": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", - "value": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE" - }, - { - "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_radmin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.radmin.fr/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" - ] - }, - "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", - "value": "Use Radmin Viewer Utility" - }, { "description": "Detects a command used by conti to find volume shadow backups", "meta": { @@ -70101,8 +77282,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -70123,38 +77304,40 @@ "value": "Conti Volume Shadow Listing" }, { - "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/11/29", "falsepositive": [ - "Unlikely (at.exe deprecated as of Windows 8)" + "Unlikely" ], - "filename": "proc_creation_win_interactive_at.yml", + "filename": "proc_creation_win_hktl_powertool.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" + "attack.defense_evasion", + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "value": "Interactive AT Job" + "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "value": "HackTool - PowerTool Execution" }, { "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", @@ -70177,41 +77360,17 @@ "attack.t1021" ] }, - "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", - "value": "Privilege Escalation via Named Pipe Impersonation" - }, - { - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/23", - "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" - ], - "filename": "proc_creation_win_susp_schtasks_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, "related": [ { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", - "value": "Suspicious Add Scheduled Command Pattern" + "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "value": "Privilege Escalation via Named Pipe Impersonation" }, { "description": "Detects a highly relevant Antivirus alert that reports a password dumper", @@ -70226,9 +77385,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", - "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -70247,6 +77406,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ @@ -70278,9 +77444,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -70288,6 +77454,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" }, @@ -70337,9 +77512,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -70416,16 +77591,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -70433,6 +77608,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", "value": "Antivirus Web Shell Detection" }, @@ -70449,12 +77633,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -70532,8 +77716,8 @@ "logsource.product": "okta", "refs": [ "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -70554,8 +77738,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -70588,8 +77772,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -70612,8 +77796,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -70636,8 +77820,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -70660,8 +77844,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -70684,8 +77868,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -70708,8 +77892,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -70742,8 +77926,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -70766,8 +77950,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -70790,8 +77974,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -70814,8 +77998,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -70852,8 +78036,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -71036,11 +78220,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", + "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -71082,6 +78266,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", "value": "Logon from a Risky IP Address" }, @@ -71232,6 +78425,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", "value": "Microsoft 365 - Impossible Travel Activity" }, @@ -71505,8 +78707,8 @@ "logsource.product": "github", "refs": [ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -71529,12 +78731,12 @@ "value": "Github High Risk Configuration Disabled" }, { - "description": "A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.\nThis rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,\nit should be validated from GitHub UI becasue the log entry may not provide full context.\n", + "description": "A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.\nThis rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,\nit should be validated from GitHub UI because the log entry may not provide full context.\n", "meta": { "author": "Muhammad Faisal", "creation_date": "2023/01/27", "falsepositive": [ - "Allowed self-hosted runners changes in the envrionment.", + "Allowed self-hosted runners changes in the environment.", "A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.", "An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day." ], @@ -71543,8 +78745,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", + "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -71599,8 +78801,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -71730,10 +78932,10 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://github.com/elastic/detection-rules/pull/1267", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], @@ -71782,9 +78984,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -71835,8 +79037,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -71915,6 +79117,13 @@ ] }, "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ @@ -72005,8 +79214,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -72039,9 +79248,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -72064,8 +79273,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -72146,8 +79355,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -72251,13 +79460,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -72442,6 +79651,15 @@ "attack.t1070" ] }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20f754db-d025-4a8f-9d74-e0037e999a9a", "value": "SES Identity Has Been Deleted" }, @@ -72666,6 +79884,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d914951b-52c8-485f-875e-86abab710c0b", "value": "AWS Lambda Function Created or Invoked" }, @@ -72710,6 +79937,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", @@ -72811,6 +80045,13 @@ ] }, "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ @@ -72824,6 +80065,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", @@ -72918,6 +80166,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", "value": "AWS CloudTrail Important Change" }, @@ -73124,8 +80381,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -73150,6 +80407,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", @@ -73176,6 +80440,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", "value": "AWS GuardDuty Important Change" }, @@ -73216,9 +80489,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -73260,6 +80533,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91f6a16c-ef71-437a-99ac-0b070e3ad221", "value": "AWS Macie Evasion" }, @@ -73339,6 +80621,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3d53999-4b14-4ddd-9d9b-e618c366b54d", "value": "Potential Network Enumeration on AWS" }, @@ -73356,8 +80647,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -73420,6 +80711,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07330162-dba1-4746-8121-a9647d49d297", "value": "AWS Config Disabling Channel/Recorder" }, @@ -73494,6 +80794,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", @@ -73558,6 +80865,13 @@ ] }, "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ @@ -73627,6 +80941,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", "value": "Applications That Are Using ROPC Authentication Flow" }, @@ -73764,6 +81087,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", @@ -73793,6 +81123,13 @@ ] }, "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ @@ -73810,7 +81147,7 @@ "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022/08/10", "falsepositive": [ - "Administrator adding a legitmate temporary access pass" + "Administrator adding a legitimate temporary access pass" ], "filename": "azure_tap_added.yml", "level": "high", @@ -73858,6 +81195,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", "value": "Azure Subscription Permission Elevation Via AuditLogs" }, @@ -73882,6 +81228,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", "value": "Account Created And Deleted Within A Close Time Frame" }, @@ -73946,6 +81301,13 @@ ] }, "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ @@ -74017,6 +81379,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", "value": "Increased Failed Authentications Of Any Type" }, @@ -74243,6 +81614,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", "value": "Azure Domain Federation Settings Modified" }, @@ -74291,6 +81671,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f272fb46-25f2-422c-b667-45837994980f", "value": "Authentications To Important Apps Using Single Factor Authentication" }, @@ -74308,8 +81697,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -74455,6 +81844,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dff74231-dbed-42ab-ba49-83289be2ac3a", "value": "Sign-in Failure Bad Password Threshold" }, @@ -74529,11 +81927,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74688,6 +82086,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", "value": "Measurable Increase Of Successful Authentications" }, @@ -74721,6 +82128,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", @@ -75208,6 +82622,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", "value": "Account Lockout" }, @@ -75377,6 +82800,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "tags": [ @@ -75479,6 +82909,13 @@ ], "type": "related-to" }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "tags": [ @@ -75512,6 +82949,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "value": "PIM Alert Setting Changes To Disabled" }, @@ -75561,11 +83007,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -75632,11 +83078,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -75678,6 +83124,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "80eeab92-0979-4152-942d-96749e11df40", @@ -75737,6 +83190,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", @@ -75799,11 +83259,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -75876,6 +83336,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", @@ -75911,6 +83378,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", @@ -75930,9 +83404,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], @@ -75975,6 +83449,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", "value": "Guest Users Invited To Tenant By Non Approved Inviters" }, @@ -76025,11 +83508,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -76152,6 +83635,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", "value": "Suspicious SignIns From A Non Registered Device" }, @@ -76442,6 +83934,15 @@ "attack.t1078" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8366030e-7216-476b-9927-271d79f13cf3", "value": "Azure Unusual Authentication Interruption" }, @@ -76502,6 +84003,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", "value": "Application Using Device Code Authentication Flow" }, @@ -76628,6 +84138,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", @@ -76647,11 +84164,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -76676,11 +84193,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -76775,6 +84292,15 @@ "attack.t1499" ] }, + "related": [ + { + "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", "value": "Multiple Modsecurity Blocks" }, @@ -76814,9 +84340,9 @@ "value": "CVE-2021-21978 Exploitation Attempt" }, { - "description": "Detects Windows Webshells that use GET requests via access logs", + "description": "Detects common commands used in Windows webshells", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2017/02/19", "falsepositive": [ "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", @@ -76827,8 +84353,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -76836,6 +84362,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", "value": "Windows Webshell Strings" }, @@ -76853,8 +84388,8 @@ "logsource.product": "No established product", "refs": [ "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://isc.sans.edu/diary/26734", "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://isc.sans.edu/diary/26734", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -76888,10 +84423,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -76957,8 +84492,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml" ], "tags": [ @@ -77000,6 +84535,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", "value": "Solarwinds SUPERNOVA Webshell Access" }, @@ -77035,6 +84579,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", @@ -77053,8 +84604,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://dmaasland.github.io/posts/citrix.html", "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml" ], @@ -77122,8 +84673,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": "No established tags" @@ -77146,8 +84697,8 @@ "refs": [ "https://twitter.com/Al1ex4/status/1382981479727128580", "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", - "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://github.com/murataydemir/CVE-2021-27905", + "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://twitter.com/sec715/status/1373472323538362371", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_27905_apache_solr_exploit.yml" ], @@ -77182,9 +84733,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", + "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -77219,9 +84770,9 @@ "logsource.product": "No established product", "refs": [ "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -77257,9 +84808,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], @@ -77281,9 +84832,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -77338,6 +84889,41 @@ "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", "value": "Exploitation of CVE-2021-26814 in Wazuh" }, + { + "description": "Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2023/02/23", + "falsepositive": [ + "Vulnerability scanners" + ], + "filename": "web_cve_2023_23752_joomla_exploit_attempt.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://xz.aliyun.com/t/12175", + "https://twitter.com/momika233/status/1626464189261942786", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2023_23752_joomla_exploit_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2023.23752" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e1ebc5a-15d0-4bf6-8199-b2535397433a", + "value": "Potential CVE-2023-23752 Exploitation Attempt" + }, { "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", "meta": { @@ -77385,8 +84971,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_nginx_core_dump.yml" ], "tags": [ @@ -77419,8 +85005,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22893_pulse_secure_rce_exploit.yml" ], "tags": [ @@ -77487,8 +85073,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -77496,6 +85082,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", "value": "Source Code Enumeration Detection by Keyword" }, @@ -77512,10 +85107,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.f5.com/csp/article/K52145254", - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://support.f5.com/csp/article/K52145254", + "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://twitter.com/yorickkoster/status/1279709009151434754", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml" ], "tags": [ @@ -77548,8 +85143,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://f5.pm/go-59627.html", "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://f5.pm/go-59627.html", "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], @@ -77616,8 +85211,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", + "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], @@ -77653,11 +85248,11 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://news.ycombinator.com/item?id=29504755", - "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -77698,6 +85293,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", "value": "DEWMODE Webshell Access" }, @@ -77747,11 +85351,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -77832,8 +85436,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/pyn3rd/status/1351696768065409026", "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://twitter.com/pyn3rd/status/1351696768065409026", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -77901,8 +85505,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml" ], "tags": [ @@ -77935,9 +85539,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -77971,9 +85575,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -78106,8 +85710,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://youtu.be/5mqid-7zp8k?t=2231", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell.yml" ], @@ -78141,8 +85745,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://youtu.be/5mqid-7zp8k?t=2231", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml" ], @@ -78175,6 +85779,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", "value": "Webshell ReGeorg Detection Via Web Logs" }, @@ -78192,11 +85805,11 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://news.ycombinator.com/item?id=29504755", - "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -78229,8 +85842,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://seclists.org/fulldisclosure/2023/Jan/1", "https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/", + "https://seclists.org/fulldisclosure/2023/Jan/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml" ], "tags": [ @@ -78330,9 +85943,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://www.tenable.com/security/research/tra-2021-13", - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -78422,6 +86035,43 @@ "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" }, + { + "description": "Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.", + "meta": { + "author": "Isa Almannaei", + "creation_date": "2023/02/13", + "falsepositive": [ + "Vulnerability Scanners" + ], + "filename": "web_cve_2022_21587_oracle_ebs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/", + "https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/", + "https://github.com/hieuminhnv/CVE-2022-21587-POC", + "https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_21587_oracle_ebs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.21587" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d033cb8a-8669-4a8e-a974-48d4185a8503", + "value": "Potential CVE-2022-21587 Exploitation Attempt" + }, { "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", "meta": { @@ -78469,12 +86119,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://twitter.com/bl4sty/status/1445462677824761878", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://twitter.com/h4x0r_dz/status/1445401960371429381", - "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -78507,8 +86157,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml" ], @@ -78526,6 +86176,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", @@ -78545,8 +86202,8 @@ "logsource.product": "No established product", "refs": [ "https://www.exploit-db.com/exploits/19525", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -78612,8 +86269,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -78710,6 +86367,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", "value": "Suspicious Windows Strings In URI" }, @@ -78728,9 +86394,9 @@ "refs": [ "https://isc.sans.edu/diary/25686", "https://support.citrix.com/article/CTX267027", - "https://support.citrix.com/article/CTX267679", "https://twitter.com/mpgn_x64/status/1216787131210829826", "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267679", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -78840,9 +86506,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], "tags": [ @@ -78859,6 +86525,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", @@ -79090,9 +86763,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -79302,9 +86975,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -79357,6 +87030,13 @@ ] }, "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -79388,12 +87068,12 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://perishablepress.com/blacklist/ua-2013.txt", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -79537,8 +87217,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -79646,6 +87326,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", @@ -79748,8 +87435,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-ip-scanner.com/", "https://www.advanced-port-scanner.com/", + "https://www.advanced-ip-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -79782,10 +87469,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.spamhaus.org/statistics/tlds/", - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -79797,6 +87484,13 @@ ] }, "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -80060,8 +87754,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -80078,6 +87772,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", @@ -80151,6 +87852,13 @@ ] }, "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -80242,6 +87950,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", @@ -80294,8 +88009,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -80357,6 +88072,57 @@ "uuid": "f1408a58-0e94-4165-b80a-da9f96cf6fc3", "value": "JXA In-memory Execution Via OSAScript" }, + { + "description": "Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_office_susp_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://redcanary.com/blog/applescript/", + "https://objective-see.org/blog/blog_0x4B.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059.002", + "attack.t1137.002", + "attack.t1204.002" + ] + }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "69483748-1525-4a6c-95ca-90dc8d431b68", + "value": "Suspicious Microsoft Office Child Process - MacOS" + }, { "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", "meta": { @@ -80378,6 +88144,15 @@ "attack.t1518.001" ] }, + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", "value": "Security Software Discovery - MacOs" }, @@ -80437,6 +88212,15 @@ "attack.t1113" ] }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", "value": "Screen Capture - macOS" }, @@ -80464,6 +88248,13 @@ ] }, "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ @@ -80496,6 +88287,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", "value": "File and Directory Discovery - MacOS" }, @@ -80587,6 +88387,15 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", "value": "MacOS Network Service Scanning" }, @@ -80622,6 +88431,20 @@ ] }, "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -80661,6 +88484,89 @@ "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "value": "Suspicious Execution via macOS Script Editor" }, + { + "description": "Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/02/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_persistence_via_plistbuddy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://www.manpagez.com/man/8/PlistBuddy/", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.001", + "attack.t1543.004" + ] + }, + "related": [ + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "65d506d3-fcfe-4071-b4b2-bcefe721bbbb", + "value": "Potential Persistence Via PlistBuddy" + }, + { + "description": "Detects attempts to enable the guest account using the sysadminctl utility", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/02/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_sysadminctl_enable_guest_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://ss64.com/osx/sysadminctl.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078", + "attack.t1078.001" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d7329412-13bd-44ba-a072-3387f804a106", + "value": "Guest Account Enabled Via Sysadminctl" + }, { "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", "meta": { @@ -80675,6 +88581,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://linux.die.net/man/1/dd", + "https://linux.die.net/man/1/truncate", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -80682,6 +88590,15 @@ "attack.t1027.001" ] }, + "related": [ + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", "value": "Binary Padding - MacOS" }, @@ -80699,6 +88616,7 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -80739,6 +88657,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85de3a19-b675-4a51-bfc6-b11a5186c971", "value": "Potential Discovery Activity Using Find - MacOS" }, @@ -80863,6 +88790,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", "value": "System Network Discovery - macOS" }, @@ -80911,6 +88847,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", "value": "Credentials In Files" }, @@ -80927,9 +88872,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -80939,57 +88884,6 @@ "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", "value": "Suspicious MacOS Firmware Activity" }, - { - "description": "Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution", - "meta": { - "author": "Sohan G (D4rkCiph3r)", - "creation_date": "2023/01/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_susp_microsoft_office_child_processes.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://redcanary.com/blog/applescript/", - "https://objective-see.org/blog/blog_0x4B.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_microsoft_office_child_processes.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059.002", - "attack.t1137.002", - "attack.t1204.002" - ] - }, - "related": [ - { - "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "69483748-1525-4a6c-95ca-90dc8d431b68", - "value": "Suspicious Microsoft Office Child Process" - }, { "description": "Detect file time attribute change to hide new or changes to existing files", "meta": { @@ -81096,6 +88990,15 @@ "attack.t1036.006" ] }, + "related": [ + { + "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", "value": "Space After Filename - macOS" }, @@ -81188,6 +89091,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", "value": "Decode Base64 Encoded Text -MacOs" }, @@ -81212,6 +89124,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", "value": "Macos Remote System Discovery" }, @@ -81248,6 +89169,65 @@ "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "value": "Split A File Into Pieces" }, + { + "description": "Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/02/18", + "falsepositive": [ + "Legitimate software uses the scripts (preinstall, postinstall)" + ], + "filename": "proc_creation_macos_installer_susp_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" + ], + "tags": [ + "attack.t1059", + "attack.t1059.007", + "attack.t1071", + "attack.t1071.001", + "attack.execution", + "attack.command_and_control" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e0cfaecd-602d-41af-988d-f6ccebb2af26", + "value": "Suspicious Installer Package Child Process" + }, { "description": "Detects attempts to use system dialog prompts to capture user credentials", "meta": { @@ -81270,6 +89250,15 @@ "attack.t1056.002" ] }, + "related": [ + { + "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", "value": "GUI Input Capture - macOS" }, @@ -81319,9 +89308,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -81418,6 +89407,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", "value": "Disable Security Tools" }, @@ -81477,6 +89475,15 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", "value": "Network Sniffing - MacOs" }, @@ -81493,9 +89500,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], @@ -81515,8 +89522,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -81538,8 +89545,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -81561,8 +89568,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -81621,6 +89628,15 @@ "attack.t1574.001" ] }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e", "value": "Use Of Hidden Paths Or Files" }, @@ -81678,6 +89694,15 @@ "attack.t1562.006" ] }, + "related": [ + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", "value": "Logging Configuration Changes on Linux Host" }, @@ -81702,6 +89727,15 @@ "attack.t1543.002" ] }, + "related": [ + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", "value": "Systemd Service Creation" }, @@ -81769,6 +89803,15 @@ "attack.t1123" ] }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", "value": "Audio Capture" }, @@ -81793,6 +89836,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", "value": "Credentials In Files - Linux" }, @@ -81817,6 +89869,15 @@ "attack.t1027.001" ] }, + "related": [ + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", "value": "Binary Padding - Linux" }, @@ -81841,6 +89902,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", "value": "Steganography Hide Files with Steghide" }, @@ -81865,6 +89935,15 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", "value": "System Owner or User Discovery" }, @@ -81904,8 +89983,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xclip", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://linux.die.net/man/1/xclip", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -81913,6 +89992,15 @@ "attack.t1115" ] }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", "value": "Clipboard Collection with Xclip Tool - Auditd" }, @@ -81937,6 +90025,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", "value": "Steganography Extract Files with Steghide" }, @@ -81954,8 +90051,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -81998,6 +90095,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", "value": "Webshell Remote Command Execution" }, @@ -82014,9 +90120,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/berdav/CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://github.com/berdav/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], "tags": [ @@ -82049,9 +90155,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://imagemagick.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -82059,6 +90165,15 @@ "attack.t1113" ] }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", "value": "Screen Capture with Import Tool" }, @@ -82117,6 +90232,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", "value": "Steganography Unzip Hidden Information From Picture File" }, @@ -82133,10 +90257,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -82147,6 +90271,13 @@ ] }, "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ @@ -82179,6 +90310,15 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", "value": "System and Hardware Information Discovery" }, @@ -82204,6 +90344,15 @@ "attack.t1562.006" ] }, + "related": [ + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", "value": "Auditing Configuration Changes on Linux Host" }, @@ -82229,6 +90378,15 @@ "attack.t1574.006" ] }, + "related": [ + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", "value": "Modification of ld.so.preload" }, @@ -82284,6 +90442,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", "value": "Steganography Hide Zip Information in Picture File" }, @@ -82443,6 +90610,15 @@ "attack.t1040" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", "value": "Network Sniffing - Linux" }, @@ -82502,6 +90678,15 @@ "attack.t1543.002" ] }, + "related": [ + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", "value": "Systemd Service Reload or Start" }, @@ -82559,6 +90744,15 @@ "attack.t1115" ] }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f200dc3f-b219-425d-a17e-c38467364816", "value": "Clipboard Collection of Image Data with Xclip Tool" }, @@ -82759,6 +90953,15 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3761e026-f259-44e6-8826-719ed8079408", "value": "Linux Network Service Scanning - Auditd" }, @@ -82784,6 +90987,15 @@ "attack.t1113" ] }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", "value": "Screen Capture with Xwd" }, @@ -82867,9 +91079,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], @@ -82911,6 +91123,15 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", "value": "System Information Discovery - Auditd" }, @@ -82995,10 +91216,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -83014,6 +91235,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", @@ -83098,9 +91326,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -83133,9 +91361,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -83166,6 +91394,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", "value": "Shellshock Expression" }, @@ -83283,8 +91520,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://redcanary.com/blog/ebpf-malware/", + "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -83472,8 +91709,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -83571,6 +91808,15 @@ "attack.t1574.006" ] }, + "related": [ + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", "value": "Code Injection by ld.so Preload" }, @@ -83587,10 +91833,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "http://pastebin.com/FtygZ1cg", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -83623,8 +91869,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], @@ -83658,8 +91904,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -83866,6 +92112,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc947f8e-ea81-4b14-9a7b-13f888f94e18", "value": "Failed Logins with Different Accounts from Single Source - Linux" }, @@ -83915,8 +92170,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -83949,9 +92204,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -84326,9 +92581,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -84378,6 +92633,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", "value": "Decode Base64 Encoded Text" }, @@ -84402,6 +92666,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", "value": "Linux Remote System Discovery" }, @@ -84463,7 +92736,7 @@ "value": "Triple Cross eBPF Rootkit Execve Hijack" }, { - "description": "Detects usage of \"vim\" and it's sibilings as a GTFOBin to execute and proxy command and binary execution", + "description": "Detects usage of \"vim\" and it's siblings as a GTFOBin to execute and proxy command and binary execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/28", @@ -84485,6 +92758,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", "value": "Vim GTFOBin Abuse - Linux" }, @@ -84530,6 +92812,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", "value": "File and Directory Discovery - Linux" }, @@ -84554,6 +92845,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", "value": "Potential Discovery Activity Using Find - Linux" }, @@ -84578,6 +92878,15 @@ "attack.t1115" ] }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", "value": "Clipboard Collection with Xclip Tool" }, @@ -84644,6 +92953,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", @@ -84662,8 +92978,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -84807,11 +93123,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -84861,6 +93177,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb382fd5-b454-47ea-a264-1828e4c766d6", "value": "Apt GTFOBin Abuse - Linux" }, @@ -84879,8 +93204,8 @@ "refs": [ "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/userdel", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -84921,6 +93246,15 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", "value": "System Information Discovery" }, @@ -84999,6 +93333,15 @@ "attack.t1553.004" ] }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "700fb7e8-2981-401c-8430-be58e189e741", "value": "Suspicious Package Installed - Linux" }, @@ -85125,6 +93468,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", "value": "System Network Discovery - Linux" }, @@ -85184,6 +93536,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", "value": "Linux Webshell Indicators" }, @@ -85233,8 +93594,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -85301,8 +93662,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -85420,9 +93781,9 @@ "logsource.product": "linux", "refs": [ "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -85489,9 +93850,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -85499,6 +93860,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d8d97d51-122d-4cdd-9e2f-01b4b4933530", "value": "Capabilities Discovery - Linux" }, @@ -85624,6 +93994,15 @@ "attack.t1046" ] }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", "value": "Linux Network Service Scanning" }, @@ -85649,6 +94028,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba", "value": "Copy Passwd Or Shadow From TMP Path" }, @@ -85762,6 +94150,15 @@ "attack.t1057" ] }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", "value": "Process Discovery" }, @@ -85811,8 +94208,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -85894,6 +94291,15 @@ "attack.t1553.004" ] }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", "value": "Install Root Certificate" }, @@ -85966,10 +94372,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "Internal Research", - "https://github.com/pathtofile/bad-bpf", - "https://github.com/Gui774ume/ebpfkit", "https://github.com/carlospolop/PEASS-ng", + "Internal Research", + "https://github.com/Gui774ume/ebpfkit", + "https://github.com/pathtofile/bad-bpf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -86051,8 +94457,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], @@ -86120,8 +94526,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -86220,8 +94626,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -86254,9 +94660,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -86356,6 +94762,15 @@ "attack.t1014" ] }, + "related": [ + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", "value": "Triple Cross eBPF Rootkit Install Commands" }, @@ -86380,9 +94795,18 @@ "attack.t1518.001" ] }, + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", "value": "Security Software Discovery - Linux" } ], - "version": 20230205 + "version": 20230307 }