From 810cbe5b49f68b9b6ad14a8281879efaf4789bdb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 May 2023 10:27:48 +0200 Subject: [PATCH] chg: [sigma] updated to the latest version --- clusters/sigma-rules.json | 10096 ++++++++++-------------------------- 1 file changed, 2817 insertions(+), 7279 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index b20e623..3a055b2 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -99,8 +99,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -134,10 +134,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://core.telegram.org/bots/faq", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -212,8 +212,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -1209,10 +1209,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1321,8 +1321,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/OTRF/detection-hackathon-apt29", + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -1389,8 +1389,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -1591,8 +1591,8 @@ "logsource.product": "zeek", "refs": [ "https://github.com/Maka8ka/NGLite", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1649,9 +1649,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1726,12 +1726,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://github.com/corelight/CVE-2021-1675", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1863,10 +1863,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", - "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1907,8 +1907,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -2176,8 +2176,8 @@ "logsource.product": "jvm", "refs": [ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", - "https://rules.sonarsource.com/java/RSPEC-2755", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", + "https://rules.sonarsource.com/java/RSPEC-2755", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -2278,8 +2278,8 @@ "logsource.product": "ruby_on_rails", "refs": [ "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], @@ -2313,9 +2313,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], @@ -2350,9 +2350,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2375,8 +2375,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" @@ -2401,8 +2401,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" @@ -2437,8 +2437,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" @@ -2481,10 +2481,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2541,8 +2541,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" @@ -2628,8 +2628,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" @@ -2673,11 +2673,11 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2701,9 +2701,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2735,10 +2735,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2761,8 +2761,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" @@ -2788,9 +2788,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2823,8 +2823,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" @@ -2849,10 +2849,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -2876,8 +2876,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://antgarsil.github.io/posts/velocity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -2931,7 +2931,7 @@ "value": "Potential Credential Dumping Attempt Via PowerShell" }, { - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "description": "Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/27", @@ -2939,15 +2939,15 @@ "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", - "level": "high", + "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2966,7 +2966,7 @@ } ], "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", - "value": "LSASS Access from Program in Suspicious Folder" + "value": "LSASS Access From Program in Potentially Suspicious Folder" }, { "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", @@ -3162,8 +3162,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], @@ -3418,10 +3418,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3455,9 +3455,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], @@ -3493,11 +3493,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3531,11 +3531,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3635,8 +3635,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", "https://github.com/D1rkMtr/UnhookingPatch", + "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" ], "tags": [ @@ -3787,9 +3787,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -3865,9 +3865,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3946,8 +3946,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" ], "tags": [ @@ -4177,10 +4177,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/issues/253", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -4406,8 +4406,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4441,8 +4441,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4518,18 +4518,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/RiccardoAncarani/LiquidSnake", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4563,8 +4563,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4598,9 +4598,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -5073,9 +5073,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -5108,8 +5108,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -5227,8 +5227,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -5262,8 +5262,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -5317,9 +5317,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5340,8 +5340,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5374,8 +5374,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5485,29 +5485,6 @@ "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", "value": "Metasploit SMB Authentication" }, - { - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/03", - "falsepositive": [ - "Unlikely" - ], - "filename": "win_security_diagtrack_eop_default_login_username.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", - "value": "DiagTrackEoP Default Login Username" - }, { "description": "This events that are generated when using the hacktool Ruler by Sensepost", "meta": { @@ -5521,11 +5498,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5615,8 +5592,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], @@ -5688,40 +5665,6 @@ "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", "value": "Impacket PsExec Execution" }, - { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "meta": { - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", - "creation_date": "2019/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_apt_slingshot.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.s0111" - ] - }, - "related": [ - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", - "value": "Defrag Deactivation - Security" - }, { "description": "Detects remote service activity via remote access to the svcctl named pipe", "meta": { @@ -5811,9 +5754,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5853,41 +5796,6 @@ "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", "value": "Access to ADMIN$ Share" }, - { - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "meta": { - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", - "creation_date": "2019/06/14", - "falsepositive": [ - "Administrator activity" - ], - "filename": "win_security_pass_the_hash_2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", - "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ] - }, - "related": [ - { - "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "value": "Pass the Hash Activity 2" - }, { "description": "Detects renaming of file while deletion with SDelete tool.", "meta": { @@ -5901,9 +5809,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5949,27 +5857,6 @@ "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", "value": "Secure Deletion with SDelete" }, - { - "description": "Detects logon events that specify new credentials", - "meta": { - "author": "Max Altgelt (Nextron Systems)", - "creation_date": "2022/04/06", - "falsepositive": [ - "Legitimate remote administration activity" - ], - "filename": "win_security_susp_logon_newcredentials.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml" - ], - "tags": "No established tags" - }, - "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", - "value": "Outgoing Logon with New Credentials" - }, { "description": "Detects certificate creation with template allowing risk permission subject", "meta": { @@ -6030,74 +5917,6 @@ "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", "value": "Register new Logon Process by Rubeus" }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "meta": { - "author": "Florian Roth (Nextron Systems), frack113", - "creation_date": "2019/12/20", - "falsepositive": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" - ], - "filename": "win_security_apt_wocao.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "value": "Operation Wocao Activity - Security" - }, { "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", "meta": { @@ -6111,9 +5930,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6238,9 +6057,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -6358,35 +6177,6 @@ "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" }, - { - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime", - "creation_date": "2019/03/26", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_group_modification_logging.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" - ], - "tags": "No established tags" - }, - "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", - "value": "Group Modification Logging" - }, { "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "meta": { @@ -6436,31 +6226,6 @@ "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", "value": "Transferring Files with Credential Data via Network Shares" }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "meta": { - "author": "@SBousseaden, Florian Roth", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_krbrelayup.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access" - ] - }, - "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", - "value": "KrbRelayUp Attack Pattern" - }, { "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", "meta": { @@ -6507,9 +6272,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6705,57 +6470,6 @@ "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, - { - "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", - "meta": { - "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", - "creation_date": "2023/01/19", - "falsepositive": [ - "Legitimate or intentional inbound connections from public IP addresses on the SMB port." - ], - "filename": "win_security_successful_external_remote_smb_login.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml" - ], - "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1133", - "attack.t1078", - "attack.t1110" - ] - }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc", - "value": "External Remote SMB Logon from Public IP" - }, { "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", "meta": { @@ -6769,8 +6483,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" ], "tags": [ @@ -6848,8 +6562,8 @@ "logsource.product": "windows", "refs": [ "Live environment caused by malware", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6910,56 +6624,6 @@ "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "value": "NetNTLM Downgrade Attack" }, - { - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "meta": { - "author": "NVISO", - "creation_date": "2020/05/06", - "falsepositive": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" - ], - "filename": "win_security_susp_failed_logon_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ] - }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", - "value": "Failed Logon From Public IP" - }, { "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", "meta": { @@ -6993,40 +6657,6 @@ "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "value": "VSSAudit Security Event Source Registration" }, - { - "description": "RDP login with localhost source address may be a tunnelled login", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_rdp_localhost_login.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml" - ], - "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" - ] - }, - "related": [ - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", - "value": "RDP Login from Localhost" - }, { "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", "meta": { @@ -7060,64 +6690,6 @@ "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, - { - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "meta": { - "author": "Robert Lee @quantum_cookie", - "creation_date": "2023/03/16", - "falsepositive": [ - "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" - ], - "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" - ], - "tags": [ - "attack.credential_access", - "attack.initial_access", - "cve.2023.23397" - ] - }, - "uuid": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", - "value": "CVE-2023-23397 Exploitation Attempt" - }, - { - "description": "Detection of logins performed with WMI", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/12/04", - "falsepositive": [ - "Monitoring tools", - "Legitimate system administration" - ], - "filename": "win_security_susp_wmi_login.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", - "value": "Login with WMI" - }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { @@ -7160,41 +6732,6 @@ "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "value": "Invoke-Obfuscation STDIN+ Launcher - Security" }, - { - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "meta": { - "author": "Michaela Adams, Zach Mathis", - "creation_date": "2022/11/06", - "falsepositive": [ - "Anti-Virus" - ], - "filename": "win_security_access_token_abuse.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", - "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" - ] - }, - "related": [ - { - "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", - "value": "Access Token Abuse" - }, { "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", "meta": { @@ -7240,8 +6777,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7560,8 +7097,8 @@ "refs": [ "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7874,9 +7411,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7985,8 +7522,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -8014,40 +7551,6 @@ "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "meta": { - "author": "@SBousseaden, Florian Roth", - "creation_date": "2019/11/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_rottenpotato.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1195284233729777665", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" - ] - }, - "related": [ - { - "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "value": "RottenPotato Like Attack Pattern" - }, { "description": "Detects service ticket requests using RC4 encryption type", "meta": { @@ -8062,8 +7565,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -8083,41 +7586,6 @@ "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", "value": "Suspicious Kerberos RC4 Ticket Encryption" }, - { - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/09/02", - "falsepositive": [ - "SCCM" - ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" - ] - }, - "related": [ - { - "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", - "value": "Remote WMI ActiveScriptEventConsumers" - }, { "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", "meta": { @@ -8238,8 +7706,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -8388,41 +7856,6 @@ "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "value": "PowerShell Scripts Installed as Services - Security" }, - { - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "meta": { - "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", - "creation_date": "2019/06/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ] - }, - "related": [ - { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8400629e-79a9-4737-b387-5db940ab2367", - "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" - }, { "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", "meta": { @@ -8577,9 +8010,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -8657,16 +8090,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8817,8 +8250,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8870,8 +8303,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8891,57 +8324,6 @@ "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", "value": "Azure AD Health Service Agents Registry Keys Access" }, - { - "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", - "meta": { - "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", - "creation_date": "2023/01/19", - "falsepositive": [ - "Legitimate or intentional inbound connections from public IP addresses on the RDP port." - ], - "filename": "win_security_successful_external_remote_rdp_login.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml" - ], - "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1133", - "attack.t1078", - "attack.t1110" - ] - }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", - "value": "External Remote RDP Logon from Public IP" - }, { "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "meta": { @@ -8988,8 +8370,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -9151,8 +8533,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -9286,9 +8668,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -9322,8 +8704,8 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=3466", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -9343,40 +8725,6 @@ "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", "value": "Active Directory User Backdoors" }, - { - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "meta": { - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", - "creation_date": "2018/02/12", - "falsepositive": [ - "Runas command-line tool using /netonly parameter" - ], - "filename": "win_security_overpass_the_hash.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" - ] - }, - "related": [ - { - "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", - "value": "Successful Overpass the Hash Attempt" - }, { "description": "Detects possible addition of shadow credentials to an active directory object.", "meta": { @@ -9425,8 +8773,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -9460,9 +8808,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9500,27 +8848,6 @@ "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "value": "CobaltStrike Service Installations - Security" }, - { - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/22", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml" - ], - "tags": "No established tags" - }, - "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "value": "Suspicious Computer Account Name Change CVE-2021-42287" - }, { "description": "Addition of domains is seldom and should be verified for legitimacy.", "meta": { @@ -9567,8 +8894,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" @@ -9604,8 +8931,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -9709,8 +9036,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9768,91 +9095,6 @@ "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", "value": "Suspicious Scheduled Task Update" }, - { - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "meta": { - "author": "juju4", - "creation_date": "2017/10/29", - "falsepositive": [ - "Legitimate administrative activity." - ], - "filename": "win_security_admin_rdp_login.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://car.mitre.org/wiki/CAR-2016-04-005", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1078.001", - "attack.t1078.002", - "attack.t1078.003", - "car.2016-04-005" - ] - }, - "related": [ - { - "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", - "value": "Admin User Remote Logon" - }, - { - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "meta": { - "author": "INIT_6", - "creation_date": "2021/07/02", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/INIT_3/status/1410662463641731075", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" - ] - }, - "related": [ - { - "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", - "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" - }, { "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", "meta": { @@ -9894,6 +9136,627 @@ "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, + { + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_diagtrack_eop_default_login_username.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "value": "DiagTrackEoP Default Login Username" + }, + { + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "meta": { + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "creation_date": "2019/06/14", + "falsepositive": [ + "Administrator activity" + ], + "filename": "win_security_pass_the_hash_2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ] + }, + "related": [ + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "value": "Pass the Hash Activity 2" + }, + { + "description": "Detects logon events that specify new credentials", + "meta": { + "author": "Max Altgelt (Nextron Systems)", + "creation_date": "2022/04/06", + "falsepositive": [ + "Legitimate remote administration activity" + ], + "filename": "win_security_susp_logon_newcredentials.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml" + ], + "tags": "No established tags" + }, + "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", + "value": "Outgoing Logon with New Credentials" + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "meta": { + "author": "@SBousseaden, Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_krbrelayup.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "value": "KrbRelayUp Attack Pattern" + }, + { + "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", + "meta": { + "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", + "creation_date": "2023/01/19", + "falsepositive": [ + "Legitimate or intentional inbound connections from public IP addresses on the SMB port." + ], + "filename": "win_security_successful_external_remote_smb_login.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" + ], + "tags": [ + "attack.initial_access", + "attack.credential_access", + "attack.t1133", + "attack.t1078", + "attack.t1110" + ] + }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc", + "value": "External Remote SMB Logon from Public IP" + }, + { + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "meta": { + "author": "NVISO", + "creation_date": "2020/05/06", + "falsepositive": [ + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" + ], + "filename": "win_security_susp_failed_logon_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", + "value": "Failed Logon From Public IP" + }, + { + "description": "RDP login with localhost source address may be a tunnelled login", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_rdp_localhost_login.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" + ] + }, + "related": [ + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", + "value": "RDP Login from Localhost" + }, + { + "description": "Detects activity when a security-enabled global group is deleted", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2023/04/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_security_enabled_global_group_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" + ], + "tags": "No established tags" + }, + "uuid": "b237c54b-0f15-4612-a819-44b735e0de27", + "value": "A Security-Enabled Global Group Was Deleted" + }, + { + "description": "Detection of logins performed with WMI", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/04", + "falsepositive": [ + "Monitoring tools", + "Legitimate system administration" + ], + "filename": "win_security_susp_wmi_login.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", + "value": "Login with WMI" + }, + { + "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", + "meta": { + "author": "Michaela Adams, Zach Mathis", + "creation_date": "2022/11/06", + "falsepositive": [ + "Anti-Virus" + ], + "filename": "win_security_access_token_abuse.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1134.001" + ] + }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", + "value": "Potential Access Token Abuse" + }, + { + "description": "Detects activity when a member is removed from a security-enabled global group", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2023/04/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_member_removed_security_enabled_global_group.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" + ], + "tags": "No established tags" + }, + "uuid": "02c39d30-02b5-45d2-b435-8aebfe5a8629", + "value": "A Member Was Removed From a Security-Enabled Global Group" + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "meta": { + "author": "@SBousseaden, Florian Roth", + "creation_date": "2019/11/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_rottenpotato.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1195284233729777665", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" + ] + }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "value": "RottenPotato Like Attack Pattern" + }, + { + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/09/02", + "falsepositive": [ + "SCCM" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ] + }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "value": "Remote WMI ActiveScriptEventConsumers" + }, + { + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "meta": { + "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", + "creation_date": "2019/06/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_rdp_bluekeep_poc_scanner.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8400629e-79a9-4737-b387-5db940ab2367", + "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + }, + { + "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", + "meta": { + "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", + "creation_date": "2023/01/19", + "falsepositive": [ + "Legitimate or intentional inbound connections from public IP addresses on the RDP port." + ], + "filename": "win_security_successful_external_remote_rdp_login.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" + ], + "tags": [ + "attack.initial_access", + "attack.credential_access", + "attack.t1133", + "attack.t1078", + "attack.t1110" + ] + }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", + "value": "External Remote RDP Logon from Public IP" + }, + { + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "meta": { + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "creation_date": "2018/02/12", + "falsepositive": [ + "Runas command-line tool using /netonly parameter" + ], + "filename": "win_security_overpass_the_hash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" + ] + }, + "related": [ + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "value": "Successful Overpass the Hash Attempt" + }, + { + "description": "Detects activity when a member is added to a security-enabled global group", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2023/04/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_member_added_security_enabled_global_group.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" + ], + "tags": "No established tags" + }, + "uuid": "c43c26be-2e87-46c7-8661-284588c5a53e", + "value": "A Member Was Added to a Security-Enabled Global Group" + }, + { + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "meta": { + "author": "juju4", + "creation_date": "2017/10/29", + "falsepositive": [ + "Legitimate administrative activity." + ], + "filename": "win_security_admin_rdp_login.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2016-04-005", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" + ] + }, + "related": [ + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "value": "Admin User Remote Logon" + }, { "description": "Detects common NTLM brute force device names", "meta": { @@ -10009,8 +9872,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -10033,8 +9896,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -10057,11 +9920,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://nullsec.us/windows-event-log-audit-cve/", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -10139,8 +10002,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -10196,8 +10059,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml" ], "tags": [ @@ -10238,8 +10101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml" ], "tags": [ @@ -10315,8 +10178,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msexchange_control_panel/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -10349,8 +10212,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -10579,8 +10442,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -10604,8 +10467,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -10661,8 +10524,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -10708,9 +10571,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10831,8 +10694,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -10889,8 +10752,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -10913,8 +10776,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml" ], "tags": [ @@ -10980,8 +10843,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], @@ -11002,30 +10865,6 @@ "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", "value": "Suspicious Rejected SMB Guest Logon From IP" }, - { - "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/04/05", - "falsepositive": [ - "Some false positives may occur from external trusted servers. Apply additional filters accordingly" - ], - "filename": "win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml" - ], - "tags": [ - "attack.exfiltration", - "cve.2023.23397" - ] - }, - "uuid": "de96b824-02b0-4241-9356-7e9b47f04bac", - "value": "Potential CVE-2023-23397 Exploitation Attempt - SMB" - }, { "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "meta": { @@ -11062,11 +10901,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://winaero.com/enable-openssh-server-windows-10/", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -11086,76 +10925,6 @@ "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "value": "OpenSSH Server Listening On Socket" }, - { - "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", - "meta": { - "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton", - "creation_date": "2021/06/30", - "falsepositive": [ - "Problems with printer drivers" - ], - "filename": "win_exploit_cve_2021_1675_printspooler.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/afwu/PrintNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ] - }, - "related": [ - { - "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", - "value": "Possible CVE-2021-1675 Print Spooler Exploitation" - }, - { - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unknown" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/MalwareJake/status/1410421967463731200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ] - }, - "related": [ - { - "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", - "value": "CVE-2021-1675 Print Spooler Exploitation" - }, { "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "meta": { @@ -11165,7 +10934,7 @@ "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "filename": "win_lsa_server_normal_user_admin.yml", - "level": "high", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ @@ -11219,8 +10988,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -11385,6 +11154,41 @@ "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", "value": "Windows Defender Exclusions Added" }, + { + "description": "Detects issues with Windows Defender Real-Time Protection features", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)", + "creation_date": "2023/03/28", + "falsepositive": [ + "Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required" + ], + "filename": "win_defender_real_time_protection_errors.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", + "Internal Research", + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dd80db93-6ec2-4f4c-a017-ad40da6ffe81", + "value": "Windows Defender Real-Time Protection Failure/Restart" + }, { "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", "meta": { @@ -11622,8 +11426,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -11726,8 +11530,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], @@ -11796,9 +11600,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -11832,8 +11636,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -11985,29 +11789,6 @@ "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "value": "QuarksPwDump Clearing Access History" }, - { - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/11/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", - "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" - }, { "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", "meta": { @@ -12021,8 +11802,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -12085,7 +11866,7 @@ "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", - "level": "high", + "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ @@ -12331,8 +12112,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -12732,9 +12513,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -12970,8 +12751,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ @@ -13812,8 +13593,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml" ], "tags": [ @@ -14061,37 +13842,27 @@ "value": "Sysmon Crash" }, { - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", "meta": { - "author": "frack113", - "creation_date": "2021/12/15", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/11/09", "falsepositive": [ "Unknown" ], - "filename": "win_system_exploit_cve_2021_42278.yml", - "level": "medium", + "filename": "win_system_kdcsvc_rc4_downgrade.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_exploit_cve_2021_42278.yml" + "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml" ], "tags": [ - "attack.credential_access", - "attack.t1558.003" + "attack.privilege_escalation" ] }, - "related": [ - { - "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "value": "Potential CVE-2021-42278 Exploitation Attempt" + "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" }, { "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", @@ -14106,9 +13877,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -14141,9 +13912,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -14300,8 +14071,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -14335,8 +14106,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14502,8 +14273,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -14536,9 +14307,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -14609,11 +14380,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -14662,10 +14433,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -14688,10 +14459,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -14714,10 +14485,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -14740,10 +14511,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -14766,8 +14537,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -14790,9 +14561,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -14815,8 +14586,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -15103,8 +14874,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -15231,8 +15002,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -15466,8 +15237,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -15502,9 +15273,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/recyclebin.html", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -15608,8 +15379,8 @@ "logsource.product": "windows", "refs": [ "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -15677,8 +15448,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -15711,8 +15482,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -15950,8 +15721,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -15984,8 +15755,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -16293,8 +16064,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -16681,9 +16452,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -16857,11 +16628,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -16894,8 +16665,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" ], "tags": [ @@ -16961,8 +16732,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17020,10 +16791,10 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -17222,9 +16993,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/991447379864932352", - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -17290,8 +17061,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -17311,50 +17082,6 @@ "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", "value": "Potential Persistence Via App Paths Default Property" }, - { - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "meta": { - "author": "Sittikorn S, frack113", - "creation_date": "2021/07/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml", - "level": "critical", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" - ] - }, - "related": [ - { - "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "value": "CVE-2021-31979 CVE-2021-33771 Exploits" - }, { "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", "meta": { @@ -17401,8 +17128,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -17425,8 +17152,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -17600,11 +17327,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -17637,8 +17364,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -17662,8 +17389,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], @@ -17697,13 +17424,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -17770,8 +17497,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -17795,8 +17522,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], @@ -17825,39 +17552,6 @@ "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", "value": "Session Manager Autorun Keys Modification" }, - { - "description": "Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/04/05", - "falsepositive": [ - "Legitimate reminders received for a task or a note will also trigger this rule." - ], - "filename": "registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml", - "level": "low", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, - "related": [ - { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fc06e655-d98c-412f-ac76-05c2698b1cb2", - "value": "Outlook Task/Note Reminder Received" - }, { "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", "meta": { @@ -17918,8 +17612,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -17993,8 +17687,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -18146,8 +17840,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -18181,10 +17875,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -18284,9 +17978,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -18427,8 +18121,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], @@ -18464,8 +18158,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], @@ -18532,8 +18226,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -18723,8 +18417,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -18757,8 +18451,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -18903,8 +18597,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -18984,8 +18678,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" ], "tags": [ @@ -19151,9 +18845,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], @@ -19294,13 +18988,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -19368,8 +19062,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], @@ -19404,8 +19098,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], @@ -19523,8 +19217,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -19658,8 +19352,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -19716,8 +19410,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -19751,8 +19445,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], @@ -20041,10 +19735,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20111,8 +19805,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -20232,8 +19926,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -20456,8 +20150,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -20513,8 +20207,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -20550,8 +20244,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], @@ -20585,8 +20279,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -20610,8 +20304,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], @@ -20678,8 +20372,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -20736,8 +20430,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], @@ -20840,9 +20534,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -20917,9 +20611,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -20953,8 +20647,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -21018,9 +20712,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.sans.org/cyber-security-summit/archives", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21214,8 +20908,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -21281,8 +20975,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1476286368385019906", "https://persistence-info.github.io/Data/lsaaextension.html", + "https://twitter.com/0gtweet/status/1476286368385019906", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" ], "tags": [ @@ -21305,8 +20999,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -21477,9 +21171,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/pabraeken/status/998627081360695297", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -21638,10 +21332,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -21707,9 +21401,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -21885,9 +21579,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -21910,10 +21604,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -21987,10 +21681,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://twitter.com/nas_bench/status/1626648985824788480", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://twitter.com/nas_bench/status/1626648985824788480", + "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -22057,9 +21751,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -22082,17 +21776,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -22167,8 +21861,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], @@ -22236,8 +21930,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -22306,9 +22000,9 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/ifilters.html", - "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -22364,8 +22058,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -22458,9 +22152,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -22574,9 +22268,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", - "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -22655,10 +22349,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -22845,8 +22539,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -23097,6 +22791,48 @@ "uuid": "facd1549-e416-48e0-b8c4-41d7215eedc8", "value": "Amsi.DLL Load By Uncommon Process" }, + { + "description": "Detects potential DLL sideloading of \"SolidPDFCreator.dll\"", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/05/07", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_solidpdfcreator.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a2edbce1-95c8-4291-8676-0d45146862b3", + "value": "Potential SolidPDFCreator.DLL Sideloading" + }, { "description": "Detects WMI command line event consumers", "meta": { @@ -23187,11 +22923,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/SysmonEoP", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -23273,7 +23009,7 @@ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbgcore_dll.yml", - "level": "high", + "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -23305,7 +23041,7 @@ } ], "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "value": "DLL Sideloading Of DBGCORE.DLL" + "value": "Potential DLL Sideloading Of DBGCORE.DLL" }, { "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", @@ -23472,9 +23208,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], @@ -23860,9 +23596,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], @@ -23897,9 +23633,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml" ], "tags": [ @@ -23932,8 +23668,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_malware_pingback_backdoor.yml" ], "tags": [ @@ -23999,8 +23735,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -24039,7 +23775,7 @@ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbghelp_dll.yml", - "level": "high", + "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -24071,7 +23807,7 @@ } ], "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", - "value": "DLL Sideloading Of DBGHELP.DLL" + "value": "Potential DLL Sideloading Of DBGHELP.DLL" }, { "description": "Detects SILENTTRINITY stager dll loading activity", @@ -24655,8 +24391,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/ly4k/SpoolFool", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -24723,6 +24459,49 @@ "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "value": "Microsoft Office DLL Sideload" }, + { + "description": "Detects potential DLL sideloading of \"libcurl.dll\" by the \"gup.exe\" process from an uncommon location", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_gup_libcurl.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_gup_libcurl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e49b5745-1064-4ac1-9a2e-f687bc2dd37e", + "value": "Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE" + }, { "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "meta": { @@ -24770,8 +24549,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -24957,8 +24736,8 @@ "logsource.product": "windows", "refs": [ "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -25026,8 +24805,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], @@ -25282,8 +25061,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -25591,9 +25370,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://www.mdeditor.tw/pl/pgRt", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -25626,8 +25405,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], @@ -25871,8 +25650,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -25980,24 +25759,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/adrecon/ADRecon", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/adrecon/AzureADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -26362,23 +26141,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -26801,8 +26580,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -26892,8 +26671,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -27167,8 +26946,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], @@ -27322,8 +27101,8 @@ "refs": [ "https://adsecurity.org/?p=2277", "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -27465,9 +27244,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -27522,6 +27301,40 @@ "uuid": "db885529-903f-4c5d-9864-28fe199e6370", "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" }, + { + "description": "Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/08/18", + "falsepositive": [ + "Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session" + ], + "filename": "posh_ps_user_profile_tampering.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" + ] + }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", + "value": "Potential Persistence Via PowerShell User Profile Using Add-Content" + }, { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { @@ -27536,8 +27349,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -27703,11 +27516,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://woshub.com/manage-windows-firewall-powershell/", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -27897,8 +27710,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" @@ -27976,6 +27789,40 @@ "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", "value": "Powershell Sensitive File Discovery" }, + { + "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "The same functionality can be implemented by admin scripts, correlate with name and creator" + ], + "filename": "posh_ps_resolve_list_of_ip_from_file.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.fortypoundhead.com/showcontent.asp?artid=24022", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fbc5e92f-3044-4e73-a5c6-1c4359b539de", + "value": "PowerShell Script With File Hostname Resolving Capabilities" + }, { "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "meta": { @@ -28022,8 +27869,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -28118,8 +27965,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -28194,8 +28041,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -28391,39 +28238,6 @@ "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, - { - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", - "meta": { - "author": "frack113", - "creation_date": "2021/08/18", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_trigger_profiles.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" - ] - }, - "related": [ - { - "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "value": "Powershell Trigger Profiles by Add_Content" - }, { "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "meta": { @@ -28771,8 +28585,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -28970,8 +28784,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], @@ -28997,8 +28811,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -29032,8 +28846,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -29066,8 +28880,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -29228,8 +29042,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -29285,9 +29099,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -29418,8 +29232,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -29597,8 +29411,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -29640,8 +29454,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -29674,8 +29488,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -29708,8 +29522,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -29775,8 +29589,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -29809,8 +29623,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -29864,6 +29678,30 @@ "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "value": "Create Volume Shadow Copy with Powershell" }, + { + "description": "Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/04", + "falsepositive": [ + "Administrators backup scripts (must be investigated)" + ], + "filename": "posh_ps_veeam_credential_dumping_script.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "976d6e6f-a04b-4900-9713-0134a353e38b", + "value": "Veeam Backup Servers Credential Dumping Script Execution" + }, { "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "meta": { @@ -29877,8 +29715,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -29935,8 +29773,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -30056,9 +29894,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -30091,8 +29929,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -30328,8 +30166,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -30431,8 +30269,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -30607,8 +30445,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -30641,10 +30479,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -30710,9 +30548,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -30768,8 +30606,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -31078,9 +30916,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], @@ -31115,8 +30953,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -31215,8 +31053,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -31278,24 +31116,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/adrecon/ADRecon", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/adrecon/AzureADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -31427,9 +31265,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -31629,9 +31467,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -31793,8 +31631,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -31894,8 +31732,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -31915,41 +31753,6 @@ "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "value": "Powershell WMI Persistence" }, - { - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_upload.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ] - }, - "related": [ - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", - "value": "Windows PowerShell Upload Web Request" - }, { "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", "meta": { @@ -31996,8 +31799,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -32234,6 +32037,41 @@ "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "value": "Invoke-Obfuscation Via Stdin - Powershell" }, + { + "description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_script_with_upload_capabilities.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", + "value": "PowerShell Script With File Upload Capabilities" + }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "meta": { @@ -32300,40 +32138,6 @@ "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", "value": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools" }, - { - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "meta": { - "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", - "creation_date": "2018/11/30", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "related": [ - { - "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "value": "CobaltStrike Process Injection" - }, { "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", "meta": { @@ -32368,6 +32172,40 @@ "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "value": "Password Dumper Remote Thread in LSASS" }, + { + "description": "Detects uncommon target processes for remote thread creation", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/16", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_uncommon_target_image.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" + ] + }, + "related": [ + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "value": "Remote Thread Creation In Uncommon Target Image" + }, { "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", "meta": { @@ -32376,13 +32214,13 @@ "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_powershell_crt_rundll32.yml", + "filename": "create_remote_thread_win_powershell_susp_targets.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml" ], "tags": [ "attack.defense_evasion", @@ -32411,131 +32249,22 @@ "value": "Remote Thread Creation Via PowerShell In Rundll32" }, { - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_bumblebee.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", - "value": "Bumblebee Remote Thread Creation" - }, - { - "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", - "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" - }, - { - "description": "Detects a remote thread creation in suspicious target images", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/16", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_susp_targets.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" - ] - }, - "related": [ - { - "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "value": "Remote Thread Creation in Suspicious Targets" - }, - { - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "description": "Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity", "meta": { "author": "Timon Hackenjos", "creation_date": "2022/04/22", "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_password_dumper_keepass.yml", + "filename": "create_remote_thread_win_keepass.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", - "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" + "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ "attack.credential_access", @@ -32552,66 +32281,7 @@ } ], "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", - "value": "KeePass Password Dumping" - }, - { - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "meta": { - "author": "@SBousseaden (detection), Thomas Patzke (rule)", - "creation_date": "2019/02/01", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_cactustorch.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", - "https://twitter.com/SBousseaden/status/1090588499517079552", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" - ] - }, - "related": [ - { - "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "value": "CACTUSTORCH Remote Thread Creation" + "value": "Remote Thread Created In KeePass.EXE" }, { "description": "Detects the creation of a remote thread from a Powershell process to another process", @@ -32621,13 +32291,13 @@ "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_powershell_crt.yml", + "filename": "create_remote_thread_win_powershell_generic.yml", "level": "medium", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml" ], "tags": [ "attack.execution", @@ -32647,60 +32317,38 @@ "value": "Remote Thread Creation Via PowerShell" }, { - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "description": "Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "meta": { - "author": "Perez Diego (@darkquassar), oscd.community", - "creation_date": "2019/10/27", + "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", + "creation_date": "2018/11/30", "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_susp_remote_thread_source.yml", + "filename": "create_remote_thread_win_hktl_cobaltstrike.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", - "https://lolbas-project.github.io", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ - "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1055" + "attack.t1055.001" ] }, "related": [ { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", - "value": "Suspicious Remote Thread Source" - }, - { - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/25", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_susp_remote_thread_target.yml", - "level": "medium", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml" - ], - "tags": "No established tags" - }, - "uuid": "f016c716-754a-467f-a39e-63c06f773987", - "value": "Suspicious Remote Thread Target" + "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "value": "HackTool - Potential CobaltStrike Process Injection" }, { "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", @@ -32768,6 +32416,133 @@ "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", "value": "CreateRemoteThread API and LoadLibrary" }, + { + "description": "Detects uncommon processes creating remote threads", + "meta": { + "author": "Perez Diego (@darkquassar), oscd.community", + "creation_date": "2019/10/27", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_uncommon_source_image.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "Personal research, statistical analysis", + "https://lolbas-project.github.io", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", + "value": "Remote Thread Creation By Uncommon Source Image" + }, + { + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_powershell_lsass.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", + "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" + }, + { + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "meta": { + "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "creation_date": "2019/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_hktl_cactustorch.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1055.012", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" + ] + }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "value": "HackTool - CACTUSTORCH Remote Thread Creation" + }, { "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", "meta": { @@ -32888,11 +32663,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -33268,14 +33043,13 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ + "https://github.com/winsiderss/systeminformer", "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], "tags": [ "attack.privilege_escalation", - "cve.2021.21551", "attack.t1543" ] }, @@ -33304,8 +33078,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -33338,8 +33112,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -33440,8 +33214,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -33497,6 +33271,41 @@ "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", "value": "Notepad Making Network Connection" }, + { + "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2023/04/28", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "filename": "net_connection_win_winlogon_net_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.command_and_control", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7610a4ea-c06d-495f-a2ac-0a696abcfd3b", + "value": "Outbound Network Connection To Public IP Via Winlogon" + }, { "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", "meta": { @@ -33510,8 +33319,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://content.fireeye.com/apt-41/rpt-apt41", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://content.fireeye.com/apt-41/rpt-apt41", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], @@ -33609,8 +33418,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -33917,8 +33726,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -33952,8 +33761,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/900741347035889665", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", @@ -33989,8 +33798,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -34061,6 +33870,7 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" ], "tags": [ + "attack.persistence", "attack.command_and_control", "attack.t1571" ] @@ -34201,6 +34011,43 @@ "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", "value": "Outbound RDP Connections Over Non-Standard Tools" }, + { + "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)", + "meta": { + "author": "Gavin Knapp", + "creation_date": "2023/05/01", + "falsepositive": [ + "Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning." + ], + "filename": "net_connection_win_google_api_non_browser_access.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/looCiprian/GC2-sheet", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://youtu.be/n2dFlSaBBKo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102" + ] + }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7e9cf7b6-e827-11ed-a05b-0242ac120003", + "value": "Suspicious Non-Browser Network Communication With Google API" + }, { "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", "meta": { @@ -34399,9 +34246,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/kleiton0x00/RedditC2", "https://twitter.com/kleiton0x7e/status/1600567316810551296", - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" ], "tags": [ @@ -34421,6 +34268,40 @@ "uuid": "d7b09985-95a3-44be-8450-b6eadf49833e", "value": "Suspicious Non-Browser Network Communication With Reddit API" }, + { + "description": "Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"", + "meta": { + "author": "Gavin Knapp", + "creation_date": "2023/05/03", + "falsepositive": [ + "Legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured." + ], + "filename": "net_connection_win_notion_api_susp_communication.yml", + "level": "low", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/mttaggart/OffensiveNotion", + "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102" + ] + }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7e9cf7b6-e827-11ed-a05b-15959c120003", + "value": "Potentially Suspicious Network Connection To Notion API" + }, { "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", "meta": { @@ -34468,8 +34349,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -34544,8 +34425,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -34635,8 +34516,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -34713,48 +34594,6 @@ "uuid": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "value": "Potential Binary Or Script Dropper Via PowerShell.EXE" }, - { - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_ntds_dit.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", - "https://adsecurity.org/?p=2398", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", - "value": "Suspicious Process Writes Ntds.dit" - }, { "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", "meta": { @@ -34781,6 +34620,83 @@ "uuid": "07a99744-56ac-40d2-97b7-2095967b0e03", "value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique" }, + { + "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/10/25", + "falsepositive": [ + "Legitimate downloads of \".vhd\" files would also trigger this" + ], + "filename": "file_event_win_vhd_download_via_browsers.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", + "value": "VHD Image Download Via Browser" + }, + { + "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon process or a process located in a suspicious directory", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_dit_uncommon_process.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", + "value": "NTDS.DIT Creation By Uncommon Process" + }, { "description": "Detects files written by the different tools that exploit HiveNightmare", "meta": { @@ -34794,10 +34710,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/FireFart/hivenightmare/", + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -34884,10 +34800,10 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -34953,8 +34869,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -35067,11 +34983,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://www.google.com/search?q=procdump+lsass", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -35138,8 +35054,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -35163,12 +35079,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -35191,8 +35107,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -35213,6 +35129,42 @@ "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "value": "PsExec Service File Creation" }, + { + "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon parent process or directory", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_dit_uncommon_parent_process.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/tag/ntds-dit/", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "value": "NTDS.DIT Creation By Uncommon Parent Process" + }, { "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", "meta": { @@ -35251,10 +35203,10 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -35307,6 +35259,43 @@ "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "value": "Suspicious Files in Default GPO Folder" }, + { + "description": "Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\nHack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "Some false positives may occur with legitimate renamed process explorer binaries" + ], + "filename": "file_event_win_sysinternals_procexp_driver_susp_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://github.com/Yaxser/Backstab", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "de46c52b-0bf8-4936-a327-aace94f94ac6", + "value": "Process Explorer Driver Creation By Non-Sysinternals Binary" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", "meta": { @@ -35461,9 +35450,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -35517,6 +35506,48 @@ "uuid": "74babdd6-a758-4549-9632-26535279e654", "value": "Suspicious Executable File Creation" }, + { + "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", + "meta": { + "author": "Micah Babinski, @micahbabinski", + "creation_date": "2023/05/08", + "falsepositive": [ + "File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use." + ], + "filename": "file_event_win_susp_homoglyph_filename.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6", + "value": "Potential Homoglyph Attack Using Lookalike Characters in Filename" + }, { "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", "meta": { @@ -35531,8 +35562,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/hhlxf/PrintNightmare", - "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -35592,9 +35623,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], @@ -35663,8 +35694,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -36065,11 +36096,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -36136,26 +36167,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/adrecon/AzureADRecon", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/adrecon/ADRecon", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/samratashok/nishang", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/besimorhino/powercat", "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/adrecon/ADRecon", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -36188,9 +36219,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -36261,6 +36292,40 @@ "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "value": "Suspicious MSExchangeMailboxReplication ASPX Write" }, + { + "description": "Detects suspicious file based on their extension being created in \"C:\\PerfLogs\\\". Note that this directory mostly contains \".etl\" files", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_perflogs_susp_files.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bbb7e38c-0b41-4a11-b306-d2a457b7ac2b", + "value": "Suspicious File Created In PerfLogs" + }, { "description": "Detects processes creating temp files related to PCRE.NET package", "meta": { @@ -36406,8 +36471,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -36508,8 +36573,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -36721,8 +36786,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -36755,8 +36820,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" ], "tags": [ @@ -36860,10 +36925,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -36896,9 +36961,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -36931,9 +36996,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -36957,9 +37022,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -37154,6 +37219,40 @@ "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", "value": "Anydesk Temporary Artefact" }, + { + "description": "Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "Some false positives may occur with legitimate renamed process monitor binaries" + ], + "filename": "file_event_win_sysinternals_procmon_driver_susp_creation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a05baa88-e922-4001-bc4d-8738135f27de", + "value": "Process Monitor Driver Creation By Non-Sysinternals Binary" + }, { "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", "meta": { @@ -37318,8 +37417,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -37386,8 +37485,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -37509,43 +37608,7 @@ "value": "UAC Bypass Using NTFS Reparse Point - File" }, { - "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/11", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_ntds_dit.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://pentestlab.blog/tag/ntds-dit/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "value": "Suspicious NTDS.DIT Creation" - }, - { - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "description": "Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/11", @@ -37557,9 +37620,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -37577,7 +37640,7 @@ } ], "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "value": "Suspicious NTDS Exfil Filename Patterns" + "value": "NTDS Exfiltration Filename Patterns" }, { "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", @@ -37775,11 +37838,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://github.com/search?q=CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/FireFart/hivenightmare", "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/search?q=CVE-2021-36934", + "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -37799,40 +37862,6 @@ "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "value": "Potential SAM Database Dump" }, - { - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_moriya_rootkit.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "related": [ - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "value": "Moriya Rootkit" - }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { @@ -37968,41 +37997,6 @@ "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, - { - "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", - "meta": { - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2021/10/25", - "falsepositive": [ - "Legitimate downloads of \".vhd\" files would also trigger this" - ], - "filename": "file_event_win_mal_vhd_download.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", - "value": "Suspicious VHD Image Download From Browser" - }, { "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", "meta": { @@ -38106,8 +38100,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -38217,6 +38211,39 @@ "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", "value": "Hijack Legit RDP Session to Move Laterally" }, + { + "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database)", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_dit_creation.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0b8baa3f-575c-46ee-8715-d6f28cc7d33c", + "value": "NTDS.DIT Created" + }, { "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", "meta": { @@ -38343,10 +38370,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -38469,9 +38496,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -38504,8 +38531,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -38538,8 +38565,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_psexec_service_key.yml" ], "tags": [ @@ -38726,8 +38753,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -38836,8 +38863,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -39070,12 +39097,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://github.com/Wh04m1001/SysmonEoP", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -39226,8 +39253,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -39249,40 +39276,6 @@ "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", "value": "DLL Search Order Hijackig Via Additional Space in Path" }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_malware_pingback_backdoor.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_malware_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ] - }, - "related": [ - { - "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "value": "Pingback Backdoor File Indicators" - }, { "description": "Detects the creation of tasks from processes executed from suspicious locations", "meta": { @@ -39330,8 +39323,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -39589,8 +39582,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -39790,8 +39783,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -39961,8 +39954,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -40061,10 +40054,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -40206,8 +40199,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -40307,9 +40300,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", "https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations", "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", - "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml" ], "tags": [ @@ -40601,9 +40594,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -40669,8 +40662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -40690,32 +40683,6 @@ "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, - { - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "meta": { - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", - "creation_date": "2022/06/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444", - "https://twitter.com/sbousseaden/status/1531653369546301440", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion" - ] - }, - "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", - "value": "Potential Exploitation Attempt From Office Application" - }, { "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", "meta": { @@ -40729,9 +40696,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/", - "https://www.cobaltstrike.com/help-windows-executable", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -40764,8 +40731,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ @@ -40798,8 +40765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ @@ -40824,10 +40791,10 @@ "refs": [ "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -40871,43 +40838,6 @@ "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "value": "Renamed AdFind Execution" }, - { - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2019/10/30", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_dtrack.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", - "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://securelist.com/my-name-is-dtrack/93338/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "value": "Potential Dtrack RAT Activity" - }, { "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", "meta": { @@ -40942,40 +40872,6 @@ "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "value": "WhoAmI as Parameter" }, - { - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_35211_servu.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" - ] - }, - "related": [ - { - "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75578840-9526-4b2a-9462-af469a45e767", - "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" - }, { "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", "meta": { @@ -41125,49 +41021,6 @@ "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "value": "Unusual Parent Process For Cmd.EXE" }, - { - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/15", - "falsepositive": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" - ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", - "value": "DNS RCE CVE-2020-1350" - }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", "meta": { @@ -41182,8 +41035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -41211,48 +41064,6 @@ "uuid": "15619216-e993-4721-b590-4c520615a67d", "value": "Potential Meterpreter/CobaltStrike Activity" }, - { - "description": "Detects Rorschach ransomware execution activity", - "meta": { - "author": "X__Junior (Nextron Systems)", - "creation_date": "2023/04/04", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68", - "value": "Rorschach Ransomware Execution Activity" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -41365,8 +41176,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910969424215232518", "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], @@ -41480,8 +41291,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -41537,8 +41348,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -41603,8 +41414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -41660,9 +41471,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -41696,8 +41507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -41730,9 +41541,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -41773,9 +41584,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], "tags": [ @@ -41843,13 +41654,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://ngrok.com/docs", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -41882,8 +41693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -41950,13 +41761,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -41997,10 +41808,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -42112,108 +41923,6 @@ "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "Arbitrary Command Execution Using WSL" }, - { - "description": "Detects WannaCry ransomware activity", - "meta": { - "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_wannacry.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", - "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", - "value": "WannaCry Ransomware Activity" - }, - { - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "meta": { - "author": "Olaf Hartong", - "creation_date": "2019/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_other_bearlpe.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_bearlpe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "value": "Potential BearLPE Exploitation" - }, { "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { @@ -42262,10 +41971,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://zero2auto.com/2020/05/19/netwalker-re/", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://redcanary.com/blog/yellow-cockatoo/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -42315,8 +42024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" ], "tags": [ @@ -42571,8 +42280,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -42592,40 +42301,6 @@ "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "value": "Potential Command Line Path Traversal Evasion Attempt" }, - { - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "meta": { - "author": "FPT.EagleEye", - "creation_date": "2020/12/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://cyber.wtf/2021/11/15/guess-whos-back/", - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", - "value": "Potential Emotet Rundll32 Execution" - }, { "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "meta": { @@ -42694,16 +42369,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -42736,8 +42411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -42771,8 +42446,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -42806,9 +42481,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" ], "tags": [ @@ -42841,8 +42516,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -42884,8 +42559,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ @@ -42987,8 +42662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534916659676422152", "https://twitter.com/nas_bench/status/1534915321856917506", + "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], @@ -43087,8 +42762,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fatedier/frp", "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -43240,9 +42915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://twitter.com/0gtweet/status/1628720819537936386", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://twitter.com/0gtweet/status/1628720819537936386", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ @@ -43607,10 +43282,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": "No established tags" @@ -43752,8 +43427,8 @@ "refs": [ "https://twitter.com/Hexacorn/status/1187143326673330176", "https://redcanary.com/blog/raspberry-robin/", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_susp_exec.yml" ], "tags": [ @@ -43948,39 +43623,6 @@ "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "value": "HackTool - SharpImpersonation Execution" }, - { - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_taidoor.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml" - ], - "tags": [ - "attack.execution", - "attack.t1055.001" - ] - }, - "related": [ - { - "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", - "value": "TAIDOOR RAT DLL Load" - }, { "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "meta": { @@ -44184,9 +43826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -44268,8 +43910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -44302,8 +43944,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -44497,10 +44139,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -44556,8 +44198,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], @@ -44578,41 +44220,6 @@ "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "value": "Sensitive Registry Access via Volume Shadow Copy" }, - { - "description": "Detects LockerGoga ransomware activity via specific command line.", - "meta": { - "author": "Vasiliy Burov, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_lockergoga_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_lockergoga_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "related": [ - { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "74db3488-fd28-480a-95aa-b7af626de068", - "value": "LockerGoga Ransomware Activity" - }, { "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "meta": { @@ -44627,10 +44234,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -44747,9 +44354,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/pabraeken/status/995837734379032576", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", - "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -44816,8 +44423,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -44837,52 +44444,6 @@ "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "value": "Lolbin Runexehelper Use As Proxy" }, - { - "description": "Detects Trojan loader activity as used by APT28", - "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2018/03/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_sofacy.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ClearskySec/status/960924755355369472", - "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" - ], - "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", - "value": "Sofacy Trojan Loader Activity" - }, { "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "meta": { @@ -44930,9 +44491,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -45066,8 +44627,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml" ], "tags": [ @@ -45136,9 +44697,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -45179,8 +44740,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -45235,12 +44796,12 @@ "logsource.product": "windows", "refs": [ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], @@ -45283,9 +44844,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -45318,8 +44879,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ @@ -45452,8 +45013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -45537,9 +45098,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -45627,108 +45188,6 @@ "uuid": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "value": "HackTool - Certipy Execution" }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "meta": { - "author": "Florian Roth (Nextron Systems), frack113", - "creation_date": "2019/12/20", - "falsepositive": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" - ], - "filename": "proc_creation_win_apt_wocao.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", - "value": "Operation Wocao Activity" - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_pingback_backdoor.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ] - }, - "related": [ - { - "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "value": "Pingback Backdoor Activity" - }, { "description": "Detects potential commandline obfuscation using known escape characters", "meta": { @@ -45744,9 +45203,9 @@ "refs": [ "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885570278637678592", - "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/Hexacorn/status/885553465417756673", + "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", + "https://twitter.com/vysecurity/status/885545634958385153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -45972,8 +45431,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -46171,8 +45630,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -46393,9 +45852,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml" ], "tags": [ @@ -46453,8 +45912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -46565,10 +46024,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/defaultnamehere/cookie_crimes/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -46632,8 +46091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -46675,8 +46134,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -46709,8 +46168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -46812,8 +46271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -46965,15 +46424,16 @@ "author": "_pete_0, TheDFIRReport", "creation_date": "2022/02/21", "falsepositive": [ - "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.", + "Discord was seen using chcp to look up code pages" ], "filename": "proc_creation_win_chcp_codepage_lookup.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -47027,29 +46487,6 @@ "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", "value": "HackTool - SharPersist Execution" }, - { - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/03/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_griffon_patterns.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_griffon_patterns.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", - "value": "Griffon Malware Attack Pattern" - }, { "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", "meta": { @@ -47063,8 +46500,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -47131,10 +46568,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ReaQta/status/1222548288731217921", - "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -47168,9 +46605,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -47203,8 +46640,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -47329,8 +46766,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -47400,50 +46837,6 @@ "uuid": "903076ff-f442-475a-b667-4f246bcc203b", "value": "Nltest.EXE Execution" }, - { - "description": "Detects a ZxShell start by the called and well-known function name", - "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "creation_date": "2017/07/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_zxshell.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "value": "ZxShell Malware" - }, { "description": "Shadow Copies deletion using operating systems utilities", "meta": { @@ -47458,15 +46851,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/Neo23x0/Raccine#the-process", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -47508,8 +46901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -47576,11 +46969,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gtfobins.github.io/gtfobins/ssh/", "https://man.openbsd.org/ssh_config#LocalCommand", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -47600,52 +46993,6 @@ "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Lolbin Ssh.exe Use As Proxy" }, - { - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/13", - "falsepositive": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" - ], - "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://twitter.com/cyb3rops/status/1514217991034097664", - "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "value": "Potential CVE-2022-26809 Exploitation Attempt" - }, { "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", "meta": { @@ -47659,8 +47006,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -47802,8 +47149,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -47859,67 +47206,6 @@ "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "File Download Via Bitsadmin" }, - { - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_oilrig_mar18.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_oilrig_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "value": "OilRig APT Activity" - }, { "description": "Detects code execution via the Windows Update client (wuauclt)", "meta": { @@ -48108,12 +47394,12 @@ "logsource.product": "windows", "refs": [ "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -48147,10 +47433,10 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -48203,31 +47489,6 @@ "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "value": "Potential RDP Tunneling Via SSH" }, - { - "description": "Detects potential Muddywater APT activity", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/03/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_muddywater_activity.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.g0069" - ] - }, - "uuid": "36222790-0d43-4fe8-86e4-674b27809543", - "value": "Potential MuddyWater APT Activity" - }, { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "meta": { @@ -48361,40 +47622,6 @@ "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", "value": "Renamed Vmnat.exe Execution" }, - { - "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559" - ] - }, - "related": [ - { - "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "value": "Trickbot Malware Activity" - }, { "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "meta": { @@ -48434,8 +47661,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -48536,9 +47763,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://www.scythe.io/library/threat-emulation-qakbot", - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -48561,8 +47788,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -48595,8 +47822,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], @@ -48664,9 +47891,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -48733,8 +47960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -48757,8 +47984,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -48801,41 +48028,6 @@ "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", "value": "Arbitrary Binary Execution Using GUP Utility" }, - { - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/10/22", - "falsepositive": [ - "Renamed SysInternals tool" - ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" - ] - }, - "related": [ - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", - "value": "Ps.exe Renamed SysInternals Tool" - }, { "description": "Detects a code page switch in command line or batch scripts to a rare language", "meta": { @@ -48849,8 +48041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -48984,8 +48176,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://ss64.com/vb/cscript.html", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml" ], "tags": [ @@ -49072,9 +48264,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -49084,58 +48276,6 @@ "uuid": "4f7a6757-ff79-46db-9687-66501a02d9ec", "value": "Active Directory Structure Export Via Ldifde.EXE" }, - { - "description": "Detects potential Dridex acitvity via specific process patterns", - "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2019/01/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_dridex.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3", - "https://redcanary.com/threat-detection-report/threats/dridex/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dridex.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ] - }, - "related": [ - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "value": "Potential Dridex Activity" - }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "meta": { @@ -49216,8 +48356,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], @@ -49277,10 +48417,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -49321,10 +48461,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -49609,8 +48749,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -49678,8 +48818,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml" ], "tags": [ @@ -49735,9 +48875,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -49839,8 +48979,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -49875,9 +49015,9 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -49911,8 +49051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -50114,10 +49254,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -50154,40 +49294,6 @@ "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "value": "Suspicious WmiPrvSE Child Process" }, - { - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_mercury.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "value": "MERCURY APT Activity" - }, { "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", "meta": { @@ -50202,9 +49308,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -50385,9 +49491,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml" ], "tags": [ @@ -50641,9 +49747,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], @@ -50729,8 +49835,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://tools.thehacker.recipes/mimikatz/modules", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": "No established tags" @@ -50738,40 +49844,6 @@ "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "value": "Suspicious SYSTEM User Process Creation" }, - { - "description": "Detects new commands that add new printer port which point to suspicious file", - "meta": { - "author": "EagleEye Team, Florian Roth", - "creation_date": "2020/05/13", - "falsepositive": [ - "New printer port install on host" - ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" - ], - "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", - "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" - }, { "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", "meta": { @@ -50852,8 +49924,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml" ], "tags": [ @@ -50876,8 +49948,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -50919,11 +49991,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -50965,9 +50037,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -51034,8 +50106,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], @@ -51113,8 +50185,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/electron/rcedit", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -51172,8 +50244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], @@ -51242,8 +50314,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -51310,8 +50382,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -51362,8 +50434,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], @@ -51503,40 +50575,6 @@ "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", "value": "Suspicious File Download via CertOC.exe" }, - { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "meta": { - "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)", - "creation_date": "2019/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_slingshot.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.s0111" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", - "value": "Defrag Deactivation" - }, { "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", "meta": { @@ -51855,10 +50893,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -51878,62 +50916,6 @@ "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "value": "Suspicious Cabinet File Execution Via Msdt.EXE" }, - { - "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", - "creation_date": "2023/01/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw", - "https://twitter.com/hackerfantastic/status/1616455335203438592?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_win_server_undocumented_rce.yml" - ], - "tags": "No established tags" - }, - "uuid": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", - "value": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE" - }, - { - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_hermetic_wiper_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "related": [ - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", - "value": "Hermetic Wiper TG Process Patterns" - }, { "description": "Detects command line parameters used by Hydra password guessing hack tool", "meta": { @@ -52313,9 +51295,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -52348,8 +51330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], @@ -52407,10 +51389,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": "No established tags" @@ -52431,9 +51413,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], @@ -52490,8 +51472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -52574,8 +51556,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -52625,8 +51607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -52717,8 +51699,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], @@ -52852,8 +51834,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.radmin.fr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -52920,10 +51902,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -52943,47 +51925,6 @@ "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "value": "Browser Started with Remote Debugging" }, - { - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "value": "Potential Russian APT Credential Theft Activity" - }, { "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "meta": { @@ -53052,8 +51993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -53073,59 +52014,6 @@ "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "value": "Suspicious Double Extension File Execution" }, - { - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/03/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", - "value": "Exploited CVE-2020-10189 Zoho ManageEngine" - }, { "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", "meta": { @@ -53139,10 +52027,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -53162,47 +52050,6 @@ "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", "value": "Suspicious Rundll32 Setupapi.dll Activity" }, - { - "description": "Attempts to detect system changes made by Blue Mockingbird", - "meta": { - "author": "Trent Liffick (@tliffick)", - "creation_date": "2020/05/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_blue_mockingbird.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blue-mockingbird-cryptominer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_blue_mockingbird.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "value": "Blue Mockingbird" - }, { "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", "meta": { @@ -53647,57 +52494,6 @@ "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, - { - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ] - }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", - "value": "Exploit for CVE-2017-8759" - }, { "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", "meta": { @@ -53744,8 +52540,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -53920,8 +52716,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -54026,8 +52822,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -54131,8 +52927,8 @@ "logsource.product": "windows", "refs": [ "https://www.revshells.com/", - "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -54188,8 +52984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -54223,8 +53019,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" @@ -54334,10 +53130,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], @@ -54404,8 +53200,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -54450,41 +53246,6 @@ "uuid": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", "value": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, - { - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "meta": { - "author": "Florian Roth (Nextron Systems), wagga", - "creation_date": "2020/12/23", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_lazarus_group_activity.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://www.hvs-consulting.de/lazarus-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_group_activity.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", - "value": "Lazarus Group Activity" - }, { "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", "meta": { @@ -54498,9 +53259,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", - "https://twitter.com/vxunderground/status/1423336151860002816", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -54618,8 +53379,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -54640,39 +53401,6 @@ "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", "value": "PUA - NSudo Execution" }, - { - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/08/26", - "falsepositive": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" - ], - "filename": "proc_creation_win_malware_snatch_ransomware.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_snatch_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", - "value": "Potential Snatch Ransomware Activity" - }, { "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "meta": { @@ -54719,8 +53447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -54865,12 +53593,12 @@ "logsource.product": "windows", "refs": [ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], @@ -54946,8 +53674,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -55014,8 +53742,8 @@ "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -55159,9 +53887,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -55238,37 +53966,6 @@ "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "value": "Chopper Webshell Process Pattern" }, - { - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "meta": { - "author": "@41thexplorer, Microsoft Defender ATP", - "creation_date": "2019/11/12", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_apt_tropictrooper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "value": "TropicTrooper Campaign November 2018" - }, { "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "meta": { @@ -55283,8 +53980,8 @@ "logsource.product": "windows", "refs": [ "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" ], "tags": "No established tags" @@ -55316,40 +54013,6 @@ "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", "value": "Potential Signing Bypass Via Windows Developer Features" }, - { - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis", - "creation_date": "2020/02/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ] - }, - "related": [ - { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", - "value": "Winnti Malware HK University Campaign" - }, { "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", "meta": { @@ -55363,12 +54026,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -55411,9 +54074,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -55514,11 +54177,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://twitter.com/christophetd/status/1164506034720952320", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -55619,12 +54282,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -55665,8 +54328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -55699,12 +54362,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/eral4m/status/1479080793003671557", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/eral4m/status/1479106975967240209", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -55771,8 +54434,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -55806,8 +54469,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -55908,8 +54571,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ @@ -56007,58 +54670,6 @@ "uuid": "efec536f-72e8-4656-8960-5e85d091345b", "value": "Set Suspicious Files as System Files Using Attrib.EXE" }, - { - "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", - "meta": { - "author": "Florian Roth (Nextron Systems), Tom Ueltschi", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_notpetya.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", - "https://securelist.com/schroedingers-petya/78870/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.t1070.001", - "attack.credential_access", - "attack.t1003.001", - "car.2016-04-002" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", - "value": "NotPetya Ransomware Activity" - }, { "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "meta": { @@ -56140,8 +54751,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -56289,40 +54900,6 @@ "uuid": "90d50722-0483-4065-8e35-57efaadd354d", "value": "Arbitrary MSI Download Via Devinit.EXE" }, - { - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/03/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26857_msexchange.yml" - ], - "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" - ] - }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "value": "Potential CVE-2021-26857 Exploitation Attempt" - }, { "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", "meta": { @@ -56356,40 +54933,6 @@ "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", "value": "Potential Persistence Via Microsoft Compatibility Appraiser" }, - { - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "meta": { - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", - "creation_date": "2021/08/23", - "falsepositive": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" - ], - "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://streamable.com/q2dsji", - "https://twitter.com/j0nh4t/status/1429049506021138437", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_razorinstaller_lpe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1553" - ] - }, - "related": [ - { - "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "value": "Suspicious RazerInstaller Explorer Subprocess" - }, { "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", "meta": { @@ -56438,11 +54981,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -56559,8 +55102,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -56626,9 +55169,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -56648,42 +55191,6 @@ "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", "value": "DLL Loaded via CertOC.EXE" }, - { - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2021_41379.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/", - "https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_41379.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "value": "Potential CVE-2021-41379 Exploitation Attempt" - }, { "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", "meta": { @@ -56784,9 +55291,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -57137,9 +55644,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -57163,9 +55670,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -57421,7 +55928,7 @@ { "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)", "creation_date": "2020/07/03", "falsepositive": [ "Scripts created by developers and admins" @@ -57431,10 +55938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", "https://twitter.com/d1r4c/status/1279042657508081664", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_fileupload.yml" ], "tags": [ @@ -57577,9 +56084,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -57737,10 +56244,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -57960,10 +56467,10 @@ "refs": [ "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -58021,8 +56528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_useragent.yml" ], "tags": [ @@ -58209,10 +56716,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -58279,8 +56786,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], @@ -58370,8 +56877,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -58404,8 +56911,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -58438,8 +56945,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": "No established tags" @@ -58460,8 +56967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -58519,9 +57026,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -58598,9 +57105,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -58645,8 +57152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -58752,8 +57259,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], @@ -58774,47 +57281,6 @@ "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "value": "Operator Bloopers Cobalt Strike Modules" }, - { - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2022/02/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_actinium_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "value": "Potential ACTINIUM Persistence Activity" - }, { "description": "Detects usage of wmic to start or stop a service", "meta": { @@ -58996,8 +57462,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -59064,10 +57530,10 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -59100,8 +57566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -59325,9 +57791,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -59429,9 +57895,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -59451,66 +57917,6 @@ "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "value": "Remote CHM File Download/Execution Via HH.EXE" }, - { - "description": "Detects automated lateral movement by Turla group", - "meta": { - "author": "Markus Neis", - "creation_date": "2017/11/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "value": "Turla Group Lateral Movement" - }, { "description": "Extract data from cab file and hide it in an alternate data stream", "meta": { @@ -59600,10 +58006,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], @@ -59637,9 +58043,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/frgnca/AudioDeviceCmdlets", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/frgnca/AudioDeviceCmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -59659,58 +58065,6 @@ "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "value": "Audio Capture via PowerShell" }, - { - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/05/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_maze_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", - "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_maze_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "value": "Potential Maze Ransomware Activity" - }, { "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "meta": { @@ -59759,10 +58113,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://nodejs.org/api/cli.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -59795,8 +58149,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], @@ -59818,57 +58172,6 @@ "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "value": "UAC Bypass Using ChangePK and SLUI" }, - { - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/11/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ] - }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "value": "Droppers Exploiting CVE-2017-11882" - }, { "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", "meta": { @@ -59915,8 +58218,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -59936,41 +58239,6 @@ "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "value": "Fsutil Behavior Set SymlinkEvaluation" }, - { - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/06/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", - "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_plugx_susp_exe_locations.yml" - ], - "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "related": [ - { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2", - "value": "Potential PlugX Activity" - }, { "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "meta": { @@ -60092,40 +58360,6 @@ "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "value": "Suspicious Hacktool Execution - Imphash" }, - { - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "meta": { - "author": "Aedan Russell, frack113 (sigma)", - "creation_date": "2022/06/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_browsers_chrome_load_extension.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/chromeloader/", - "https://emkc.org/s/RJjuLa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chrome_load_extension.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1176" - ] - }, - "related": [ - { - "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "value": "Powershell ChromeLoader Browser Hijacker" - }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { @@ -60247,8 +58481,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], @@ -60340,40 +58574,6 @@ "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, - { - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "meta": { - "author": "David Burkett, Florian Roth", - "creation_date": "2019/12/28", - "falsepositive": [ - "Rare System Admin Activity" - ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ] - }, - "related": [ - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", - "value": "Trickbot Malware Reconnaissance Activity" - }, { "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", "meta": { @@ -60449,50 +58649,6 @@ "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, - { - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/09/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/h3v0x/CVE-2021-26084_Confluence", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", - "value": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" - }, { "description": "Detects new process creation using WMIC via the \"process call create\" flag", "meta": { @@ -60598,8 +58754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], @@ -60641,9 +58797,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -60663,39 +58819,6 @@ "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, - { - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_other_systemnightmare.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GossiTheDog/SystemNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_systemnightmare.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", - "value": "Potential SystemNightmare Exploitation Attempt" - }, { "description": "Detects scheduled task creations that have suspicious action command and folder combinations", "meta": { @@ -60849,8 +58972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -60906,9 +59029,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -60954,50 +59077,6 @@ "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "value": "Process Memory Dump via RdrLeakDiag.EXE" }, - { - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "meta": { - "author": "MSTIC, FPT.EagleEye", - "creation_date": "2021/06/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_sourgrum.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" - ], - "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "value": "SOURGUM Actor Behaviours" - }, { "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "meta": { @@ -61012,8 +59091,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], @@ -61081,8 +59160,8 @@ "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -61115,8 +59194,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -61191,9 +59270,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -61250,7 +59329,7 @@ { "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "meta": { - "author": "frack113", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/07/20", "falsepositive": [ "Unknown" @@ -61427,8 +59506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml" ], @@ -61504,8 +59583,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ @@ -61567,56 +59646,6 @@ "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Potential Encoded PowerShell Patterns In CommandLine" }, - { - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/05/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "value": "Turla Group Commands May 2020" - }, { "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", "meta": { @@ -61664,8 +59693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -61685,86 +59714,6 @@ "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, - { - "description": "Detects a command used by conti to dump database", - "meta": { - "author": "frack113", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_database_dump.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ] - }, - "related": [ - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", - "value": "Potential Conti Ransomware Database Dumping Activity" - }, - { - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/09/30", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_emotet.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "value": "Potential Emotet Activity" - }, { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { @@ -61778,10 +59727,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -61875,41 +59824,6 @@ "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", "value": "Psexec Execution" }, - { - "description": "Detects a specific command used by the Conti ransomware group", - "meta": { - "author": "frack113", - "creation_date": "2021/10/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_conti_ransomware_commands.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_commands.yml" - ], - "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" - ] - }, - "related": [ - { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", - "value": "Potential Conti Ransomware Activity" - }, { "description": "Detects suspicious process related to rasdial.exe", "meta": { @@ -61992,9 +59906,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -62098,27 +60012,6 @@ "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", "value": "UAC Bypass Using DismHost" }, - { - "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/04/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" - ], - "tags": "No established tags" - }, - "uuid": "53207cc2-0745-4c19-bc72-80be1cc16b3f", - "value": "Potential CVE-2023-21554 QueueJumper Exploitation" - }, { "description": "Detects suspicious Plink tunnel port forwarding to a local port", "meta": { @@ -62208,8 +60101,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -62346,8 +60239,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], @@ -62410,9 +60303,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -62581,8 +60474,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -62674,10 +60567,10 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], @@ -62711,10 +60604,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -62734,29 +60627,6 @@ "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "value": "Suspicious Child Process Created as System" }, - { - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "value": "Potential Raspberry Robin Dot Ending File" - }, { "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "meta": { @@ -62770,8 +60640,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -62832,8 +60702,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], @@ -62867,8 +60737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://twitter.com/bohops/status/1635288066909966338", + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml" ], "tags": [ @@ -62901,9 +60771,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -62970,8 +60840,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -63013,8 +60883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -63077,7 +60947,7 @@ "value": "Windows Credential Manager Access via VaultCmd" }, { - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.", "meta": { "author": "FPT.EagleEye Team, wagga", "creation_date": "2020/12/11", @@ -63114,7 +60984,7 @@ } ], "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", - "value": "Suspicious Shells Spawn by SQL Server" + "value": "Suspicious Child Process Of SQL Server" }, { "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", @@ -63172,8 +61042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -63308,8 +61178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ @@ -63377,8 +61247,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], @@ -63608,8 +61478,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -63894,8 +61764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -63952,10 +61822,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://vms.drweb.fr/virus/?i=24144899", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -64023,8 +61893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -64078,56 +61948,6 @@ "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "value": "Download Arbitrary Files Via MSOHTMED.EXE" }, - { - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/02/22", - "falsepositive": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" - ], - "filename": "proc_creation_win_exploit_cve_2017_0261.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ] - }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", - "value": "Exploit for CVE-2017-0261" - }, { "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", "meta": { @@ -64142,9 +61962,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -64169,8 +61989,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -64373,8 +62193,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -64409,8 +62229,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -64530,8 +62350,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", + "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -64573,10 +62393,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -64598,40 +62418,6 @@ "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", "value": "Service DACL Abuse To Hide Services Via Sc.EXE" }, - { - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/02/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", - "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "related": [ - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", - "value": "Exploit for CVE-2015-1641" - }, { "description": "Detects a suspicious execution from an uncommon folder", "meta": { @@ -64645,10 +62431,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -64843,40 +62629,6 @@ "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, - { - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community", - "creation_date": "2020/07/30", - "falsepositive": [ - "Legitimate setups that use similar flags" - ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ] - }, - "related": [ - { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", - "value": "Winnti Pipemon Characteristics" - }, { "description": "Detects suspicious powershell command line parameters used in Empire", "meta": { @@ -64891,8 +62643,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], @@ -64959,8 +62711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1204705548668555264", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], @@ -65015,6 +62767,39 @@ "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", "value": "VMToolsd Suspicious Child Process" }, + { + "description": "Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlcmd_veeam_db_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "696bfb54-227e-4602-ac5b-30d9d2053312", + "value": "Veeam Backup Database Suspicious Query" + }, { "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "meta": { @@ -65203,8 +62988,8 @@ "logsource.product": "windows", "refs": [ "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], @@ -65238,10 +63023,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -65309,8 +63094,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -65443,9 +63228,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -65487,17 +63272,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -65548,8 +63333,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/DLLRunner", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" @@ -65651,9 +63436,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml" ], "tags": [ @@ -65719,10 +63504,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], @@ -65811,9 +63596,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -65917,40 +63702,6 @@ "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "value": "LOLBIN Execution Of The FTP.EXE Binary" }, - { - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/11/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", - "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "value": "Exploiting CVE-2019-1388" - }, { "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "meta": { @@ -65964,12 +63715,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://github.com/ohpe/juicy-potato", "https://www.localpotato.com/", + "https://pentestlab.blog/2017/04/13/hot-potato/", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -66076,11 +63827,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/0gtweet/status/1628720819537936386", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -66102,40 +63853,6 @@ "uuid": "98c5aeef-32d5-492f-b174-64a691896d25", "value": "Service Security Descriptor Tampering Via Sc.EXE" }, - { - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/10/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_qbot.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", - "https://twitter.com/killamjr/status/1179034907932315648", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ] - }, - "related": [ - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "value": "Potential QBot Activity" - }, { "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", "meta": { @@ -66191,9 +63908,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -66260,46 +63977,6 @@ "uuid": "37e8d358-6408-4853-82f4-98333fca7014", "value": "Remote Access Tool - NetSupport Execution From Unusual Location" }, - { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "meta": { - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2017/11/10", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_malware_adwind.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_adwind.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "related": [ - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "value": "Adwind RAT / JRAT" - }, { "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", "meta": { @@ -66313,10 +63990,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://twitter.com/mattifestation/status/1326228491302563846", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], @@ -66459,9 +64136,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": "No established tags" @@ -66515,8 +64192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -66584,8 +64261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -66710,9 +64387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -66846,9 +64523,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -66924,10 +64601,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml" ], "tags": [ @@ -67079,8 +64756,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -67448,8 +65125,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -67524,8 +65201,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ @@ -67558,9 +65235,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], @@ -67792,11 +65469,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -67817,27 +65494,6 @@ "uuid": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "value": "Suspicious WebDav Client Execution" }, - { - "description": "Detects command line patterns used by BlackByte ransomware in different operations", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_blackbyte_ransomware.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_blackbyte_ransomware.yml" - ], - "tags": "No established tags" - }, - "uuid": "999e8307-a775-4d5f-addc-4855632335be", - "value": "Potential BlackByte Ransomware Activity" - }, { "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", "meta": { @@ -67851,8 +65507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -67961,8 +65617,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -68040,9 +65696,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", - "https://twitter.com/vysecurity/status/974806438316072960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -68149,9 +65805,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -68217,8 +65873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], @@ -68284,8 +65940,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], @@ -68307,40 +65963,6 @@ "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", "value": "UAC Bypass WSReset" }, - { - "description": "Detects Ryuk ransomware activity", - "meta": { - "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2019/12/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_ryuk.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "related": [ - { - "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", - "value": "Potential Ryuk Ransomware Activity" - }, { "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", "meta": { @@ -68463,8 +66085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], @@ -68540,8 +66162,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://nmap.org/ncat/", + "https://www.revshells.com/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], @@ -68576,10 +66198,10 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -68680,9 +66302,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/ps/foreach-object.htmll", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -68747,8 +66369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -68939,8 +66561,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -68960,6 +66582,48 @@ "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", "value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, + { + "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", + "meta": { + "author": "Micah Babinski, @micahbabinski", + "creation_date": "2023/05/07", + "falsepositive": [ + "Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use." + ], + "filename": "proc_creation_win_homoglyph_cyrillic_lookalikes.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "32e280f1-8ad4-46ef-9e80-910657611fbc", + "value": "Potential Homoglyph Attack Using Lookalike Characters" + }, { "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", "meta": { @@ -68996,8 +66660,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -69175,10 +66839,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -69474,8 +67138,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -69592,8 +67256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" ], "tags": [ @@ -69659,8 +67323,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ @@ -69727,8 +67391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -69795,10 +67459,10 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -69841,10 +67505,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -69963,18 +67627,19 @@ "value": "System File Execution Location Anomaly" }, { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", + "description": "Detects PowerShell download and execution cradles.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/24", "falsepositive": [ - "Scripts or tools that download files and execute them" + "Some PowerShell installers were seen using similar combinations. Apply filters accordingly" ], "filename": "proc_creation_win_powershell_download_iex.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], @@ -69993,7 +67658,7 @@ } ], "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "value": "PowerShell Web Download and Execution" + "value": "PowerShell Download and Execution Cradles" }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", @@ -70042,8 +67707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -70175,8 +67840,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], @@ -70264,40 +67929,6 @@ "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Potential PowerShell Obfuscation Via Reversed Commands" }, - { - "description": "Detects a command used by conti to exfiltrate NTDS", - "meta": { - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_conti_7zip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560" - ] - }, - "related": [ - { - "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", - "value": "Conti NTDS Exfiltration Command" - }, { "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "meta": { @@ -70376,8 +68007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ @@ -70622,8 +68253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" @@ -70649,8 +68280,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -70751,8 +68382,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -70785,9 +68416,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/winsiderss/systeminformer", "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": "No established tags" @@ -70808,9 +68439,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -71043,8 +68674,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], @@ -71113,8 +68744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -71322,6 +68953,30 @@ "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", "value": "Suspicious NTLM Authentication on the Printer Spooler Service" }, + { + "description": "Detects file download using curl.exe", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "56454143-524f-49fb-b1c6-3fb8b1ad41fb", + "value": "Suspicious File Download From File Sharing Domain Via Curl.EXE" + }, { "description": "Detects the Installation of a Exchange Transport Agent", "meta": { @@ -71553,11 +69208,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -71665,11 +69320,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -71847,9 +69502,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://redcanary.com/blog/raspberry-robin/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -71930,40 +69585,27 @@ "value": "PUA - CleanWipe Execution" }, { - "description": "Detects DarkSide Ransomware and helpers", + "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/14", - "falsepositive": [ - "Unknown", - "UAC bypass method used by other malware" - ], - "filename": "proc_creation_win_malware_darkside_ransomware.yml", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/04", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mssql_veaam_susp_child_processes.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_darkside_ransomware.yml" + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml" ], "tags": [ - "attack.execution", - "attack.t1204" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ] }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", - "value": "DarkSide Ransomware Pattern" + "uuid": "d55b793d-f847-4eea-b59a-5ab09908ac90", + "value": "Suspicious Child Process Of Veeam Dabatase" }, { "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", @@ -72155,9 +69797,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": "No established tags" @@ -72165,41 +69807,6 @@ "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "value": "Suspicious WERMGR Process Patterns" }, - { - "description": "Detects Archer malware invocation via rundll32", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_fireball.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", - "value": "Fireball Archer Install" - }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { @@ -72235,9 +69842,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -72302,8 +69909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -72345,8 +69952,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -72449,42 +70056,6 @@ "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", "value": "Audio Capture via SoundRecorder" }, - { - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/09/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_formbook.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "value": "Formbook Process Creation" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -72531,24 +70102,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/adrecon/ADRecon", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/adrecon/AzureADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -72672,8 +70243,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -72867,8 +70438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" ], "tags": [ @@ -72901,8 +70472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -73157,9 +70728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -73194,8 +70765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -73295,8 +70866,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/ilasm.exe", "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", + "https://www.echotrail.io/insights/search/ilasm.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" ], "tags": [ @@ -73329,8 +70900,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml" ], "tags": [ @@ -73471,8 +71042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -73538,8 +71109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], @@ -73642,41 +71213,6 @@ "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "value": "Port Forwarding Attempt Via SSH" }, - { - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "meta": { - "author": "Florian Roth (Nextron Systems), @neonprimetime", - "creation_date": "2021/09/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2021_40444.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.joesandbox.com/analysis/476188/1/iochtml", - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", - "value": "Potential CVE-2021-40444 Exploitation Attempt" - }, { "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", "meta": { @@ -73691,9 +71227,9 @@ "logsource.product": "windows", "refs": [ "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -73759,8 +71295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" ], "tags": [ @@ -73803,6 +71339,41 @@ "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", "value": "Net WebClient Casing Anomalies" }, + { + "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions", + "meta": { + "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browsers_chromium_susp_load_extension.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1176" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "value": "Suspicious Chromium Browser Instance Executed With Custom Extensions" + }, { "description": "Detects suspicious process run from unusual locations", "meta": { @@ -73850,8 +71421,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], @@ -73919,10 +71490,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bohops/status/980659399495741441", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://twitter.com/bohops/status/980659399495741441", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], @@ -74003,11 +71574,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ @@ -74101,100 +71672,6 @@ "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "value": "Net.exe Execution" }, - { - "description": "Detects activity that could be related to Baby Shark malware", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_babyshark.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_babyshark.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005" - ] - }, - "related": [ - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "value": "Potential Baby Shark Malware Activity" - }, - { - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "meta": { - "author": "Markus Neis, Swisscom", - "creation_date": "2020/06/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_ke3chang_tidepool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ke3chang_tidepool.yml" - ], - "tags": [ - "attack.g0004", - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", - "value": "Potential Ke3chang/TidePool Malware Activity" - }, { "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "meta": { @@ -74208,9 +71685,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -74230,57 +71707,6 @@ "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Potential Suspicious Mofcomp Execution" }, - { - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/11/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "value": "Exploiting SetupComplete.cmd CVE-2019-1378" - }, { "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", "meta": { @@ -74294,9 +71720,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -74394,8 +71820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -74405,42 +71831,6 @@ "uuid": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "value": "Mstsc.EXE Execution From Uncommon Parent" }, - { - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "meta": { - "author": "TropChaud", - "creation_date": "2023/01/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", - "https://www.joesandbox.com/analysis/790122/0/html", - "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", - "https://twitter.com/anfam17/status/1607477672057208835", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5", - "value": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" - }, { "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", "meta": { @@ -74529,8 +71919,8 @@ "logsource.product": "windows", "refs": [ "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", - "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -74553,9 +71943,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -74588,10 +71978,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -74657,8 +72047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -74692,9 +72082,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -74836,8 +72226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -74870,8 +72260,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -75037,13 +72427,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/zcgonvh/NTDSDumpEx", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -75596,8 +72986,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -75686,8 +73076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ @@ -75754,8 +73144,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -75995,43 +73385,6 @@ "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, - { - "description": "Detects Elise backdoor activity used by APT32", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2018/01/31", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_elise.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", - "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_elise.yml" - ], - "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", - "value": "Elise Backdoor Activity" - }, { "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "meta": { @@ -76045,8 +73398,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://twitter.com/mrd0x/status/1465058133303246867", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -76188,9 +73541,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -76283,15 +73636,15 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/04/18", "falsepositive": [ - "Likelihood is related to how often the paths are used in the environement" + "Likelihood is related to how often the paths are used in the environment" ], "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -76390,29 +73743,6 @@ "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "value": "Nslookup PowerShell Download Cradle - ProcessCreation" }, - { - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "meta": { - "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)", - "creation_date": "2022/11/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/filip_dragovic/status/1590104354727436290", - "https://twitter.com/filip_dragovic/status/1590052248260055041", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" - ], - "tags": "No established tags" - }, - "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "value": "Suspicious Sysmon as Execution Parent" - }, { "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", "meta": { @@ -76426,8 +73756,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://www.echotrail.io/insights/search/msbuild.exe", + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -76484,8 +73814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], @@ -76529,31 +73859,6 @@ "uuid": "0b0cd537-fc77-4e6e-a973-e53495c1083d", "value": "Renamed Office Binary Execution" }, - { - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/04/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/kagancapar/CVE-2022-29072", - "https://twitter.com/kagancapar/status/1515219358234161153", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_29072_7zip.yml" - ], - "tags": [ - "attack.execution", - "cve.2022.29072" - ] - }, - "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "value": "Potential CVE-2022-29072 Exploitation Attempt" - }, { "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", "meta": { @@ -76567,10 +73872,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_office.yml" ], "tags": [ @@ -76604,8 +73909,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -76782,9 +74087,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -76952,8 +74257,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -77231,40 +74536,6 @@ "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", "value": "Remote Access Tool - RURAT Execution From Unusual Location" }, - { - "description": "Detects a command used by conti to find volume shadow backups", - "meta": { - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_conti.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" - ], - "tags": [ - "attack.t1587.001", - "attack.resource_development" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", - "value": "Conti Volume Shadow Listing" - }, { "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", "meta": { @@ -77312,9 +74583,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], @@ -77382,9 +74653,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -77441,9 +74712,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -77509,9 +74780,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -77554,8 +74825,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -77588,16 +74859,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -77631,11 +74902,11 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", - "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -77699,6 +74970,41 @@ "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", "value": "Suspicious SQL Query" }, + { + "description": "Detects when Okta FastPass prevents a known phishing site.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2023/05/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "okta_fastpass_phishing_detection.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://sec.okta.com/fastpassphishingdetection", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566" + ] + }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", + "value": "Okta FastPass Phishing Detection" + }, { "description": "Detects when an security threat is detected in Okta.", "meta": { @@ -77947,9 +75253,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -78092,8 +75398,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -78126,8 +75432,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -78160,8 +75466,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -78194,8 +75500,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -78228,8 +75534,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -78252,11 +75558,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://www.sygnia.co/golden-saml-advisory", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://o365blog.com/post/aadbackdoor/", + "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -78289,8 +75595,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -78356,8 +75662,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -78390,8 +75696,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -78424,8 +75730,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -78448,8 +75754,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -78482,8 +75788,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -78549,8 +75855,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -78738,8 +76044,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], @@ -78777,8 +76083,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", + "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -78964,11 +76270,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://github.com/elastic/detection-rules/pull/1267", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -79016,9 +76322,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -79281,8 +76587,8 @@ "logsource.product": "google_workspace", "refs": [ "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -79492,13 +76798,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -79776,8 +77082,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/elastic/detection-rules/pull/1214", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -80105,9 +77411,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", - "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -80264,9 +77570,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -81467,8 +78773,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -81661,11 +78967,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -82784,11 +80090,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -82855,11 +80161,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -83036,11 +80342,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -83181,10 +80487,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -83286,11 +80592,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -83919,11 +81225,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -83948,11 +81254,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -83972,6 +81278,40 @@ "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, + { + "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/05/31", + "falsepositive": [ + "Serious issues with a configuration or plugin" + ], + "filename": "web_nginx_core_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", + "value": "Nginx Core Dump" + }, { "description": "Detects an issue in apache logs that reports threading related errors", "meta": { @@ -84026,41 +81366,6 @@ "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", "value": "Apache Segmentation Fault" }, - { - "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/03/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://paper.seebug.org/1495/", - "https://twitter.com/wugeej/status/1369476795255320580", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21978_vmware_view_planner_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", - "value": "CVE-2021-21978 Exploitation Attempt" - }, { "description": "Detects common commands used in Windows webshells", "meta": { @@ -84096,292 +81401,6 @@ "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", "value": "Windows Webshell Strings" }, - { - "description": "Detects exploitation attempts on WebLogic servers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/11/02", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_14882_weblogic_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", - "https://isc.sans.edu/diary/26734", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.14882" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", - "value": "Oracle WebLogic Exploit CVE-2020-14882" - }, - { - "description": "Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection", - "meta": { - "author": "Sittikorn S, Nuttakorn T", - "creation_date": "2022/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_26084_confluence_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26084_confluence_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", - "value": "Potential CVE-2021-26084 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/01/25", - "falsepositive": [ - "Unknown" - ], - "filename": "web_sonicwall_jarrewrite_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6f55f047-112b-4101-ad32-43913f52db46", - "value": "SonicWall SSL/VPN Jarrewrite Exploit" - }, - { - "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/03/03", - "falsepositive": [ - "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" - ], - "filename": "web_exchange_exploitation_hafnium.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", - "value": "Exchange Exploitation Used by HAFNIUM" - }, - { - "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/12/17", - "falsepositive": [ - "Unknown" - ], - "filename": "web_solarwinds_supernova_webshell.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.anquanke.com/post/id/226029", - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "related": [ - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", - "value": "Solarwinds SUPERNOVA Webshell Access" - }, - { - "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/07/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2018_2894_weblogic_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/LandGrey/CVE-2018-2894", - "https://twitter.com/pyn3rd/status/1020620932967223296", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.t1505.003", - "cve.2018.2894" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", - "value": "Oracle WebLogic Exploit" - }, - { - "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://dmaasland.github.io/posts/citrix.html", - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", - "https://support.citrix.com/article/CTX276688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", - "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" - }, - { - "description": "Detects a successful Grafana path traversal exploitation", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/08", - "falsepositive": [ - "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" - ], - "filename": "web_cve_2021_43798_grafana.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", - "https://github.com/search?q=CVE-2021-43798", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", - "value": "Grafana Path Traversal Exploitation CVE-2021-43798" - }, { "description": "Detects exploitation attempt using the JDNIExploiit Kit", "meta": { @@ -84404,121 +81423,10 @@ "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", "value": "JNDIExploit Pattern" }, - { - "description": "Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/12/11", - "falsepositive": [ - "Vulnerability Scanners" - ], - "filename": "web_cve_2021_27905_apache_solr_exploit.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/murataydemir/CVE-2021-27905", - "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", - "https://twitter.com/Al1ex4/status/1382981479727128580", - "https://twitter.com/sec715/status/1373472323538362371", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_27905_apache_solr_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.27905" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", - "value": "Potential CVE-2021-27905 Exploitation Attempt" - }, - { - "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/08/17", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2022_27925_exploit.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", - "https://www.yang99.top/index.php/archives/82/", - "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_27925_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.27925" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", - "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" - }, - { - "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/29", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.36804" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", - "value": "Atlassian Bitbucket Command Injection Via Archive API" - }, { "description": "Detects SQL Injection attempts via GET requests in access logs", "meta": { - "author": "Saw Win Naung, Nasreddine Bencherchali", + "author": "Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/02/22", "falsepositive": [ "Java scripts and CSS Files", @@ -84530,10 +81438,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -84541,247 +81449,6 @@ "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", "value": "SQL Injection Strings" }, - { - "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "web_exchange_owassrf_poc_exploitation.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", - "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" - }, - { - "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_26814_wzuh_rce.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978", - "cve.2021.26814" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", - "value": "Exploitation of CVE-2021-26814 in Wazuh" - }, - { - "description": "Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2023/02/23", - "falsepositive": [ - "Vulnerability scanners" - ], - "filename": "web_cve_2023_23752_joomla_exploit_attempt.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/momika233/status/1626464189261942786", - "https://xz.aliyun.com/t/12175", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2023_23752_joomla_exploit_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2023.23752" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0e1ebc5a-15d0-4bf6-8199-b2535397433a", - "value": "Potential CVE-2023-23752 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/22", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_exchange_owassrf_exploitation.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", - "value": "Potential OWASSRF Exploitation Attempt - Webserver" - }, - { - "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/31", - "falsepositive": [ - "Serious issues with a configuration or plugin" - ], - "filename": "web_nginx_core_dump.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_nginx_core_dump.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "related": [ - { - "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", - "value": "Nginx Core Dump" - }, - { - "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/29", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", - "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22893_pulse_secure_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", - "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" - }, - { - "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", - "meta": { - "author": "Subhash Popuri (@pbssubhash)", - "creation_date": "2021/08/25", - "falsepositive": [ - "Scanning from Nuclei", - "Unknown" - ], - "filename": "web_cve_2010_5278_exploitation_attempt.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2010_5278_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", - "value": "CVE-2010-5278 Exploitation Attempt" - }, { "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", "meta": { @@ -84795,8 +81462,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -84816,217 +81483,6 @@ "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", "value": "Source Code Enumeration Detection by Keyword" }, - { - "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/05", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_5902_f5_bigip.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", - "https://support.f5.com/csp/article/K52145254", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", - "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" - }, - { - "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/02/24", - "falsepositive": [ - "OVA uploads to your VSphere appliance" - ], - "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://f5.pm/go-59627.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", - "value": "CVE-2021-21972 VSphere Exploitation" - }, - { - "description": "Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/27", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_46169_cacti_exploitation_attempt.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", - "https://github.com/rapid7/metasploit-framework/pull/17407", - "https://github.com/0xf4n9x/CVE-2022-46169", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.46169" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", - "value": "Potential CVE-2022-46169 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/10", - "falsepositive": [ - "Vulnerability scanning" - ], - "filename": "web_cve_2021_44228_log4j_fields.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://news.ycombinator.com/item?id=29504755", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", - "value": "Log4j RCE CVE-2021-44228 in Fields" - }, - { - "description": "Detects access to DEWMODE webshell as described in FIREEYE report", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/02/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_unc2546_dewmode_php_webshell.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "related": [ - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", - "value": "DEWMODE Webshell Access" - }, - { - "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/11/18", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.exploit-db.com/exploits/47297", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", - "value": "Pulse Secure Attack CVE-2019-11510" - }, { "description": "Detects possible Java payloads in web access logs", "meta": { @@ -85040,11 +81496,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -85055,39 +81511,6 @@ "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", "value": "Java Payload Strings" }, - { - "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/05/14", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_28480_exchange_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", - "value": "Exchange Exploitation CVE-2021-28480" - }, { "description": "Detects XSS attempts injected via GET requests in access logs", "meta": { @@ -85112,41 +81535,6 @@ "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", "value": "Cross Site Scripting Strings" }, - { - "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/20", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", - "https://twitter.com/pyn3rd/status/1351696768065409026", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_2109_weblogic_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2021.2109" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "687f6504-7f44-4549-91fc-f07bab065821", - "value": "Oracle WebLogic Exploit CVE-2021-2109" - }, { "description": "Detects path traversal exploitation attempts", "meta": { @@ -85181,76 +81569,6 @@ "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", "value": "Path Traversal Exploitation Attempts" }, - { - "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/17", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", - "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", - "value": "Sitecore Pre-Auth RCE CVE-2021-42237" - }, - { - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/19", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", - "value": "Apache Spark Shell Command Injection - Weblogs" - }, { "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", "meta": { @@ -85264,9 +81582,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -85286,166 +81604,6 @@ "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", "value": "Suspicious User-Agents Related To Recon Tools" }, - { - "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/12", - "falsepositive": [ - "Vulnerability scanners", - "Legitimate access to the URI" - ], - "filename": "web_cve_2022_31659_vmware_rce.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", - "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" - }, - { - "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/12/08", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", - "value": "Fortinet CVE-2018-13379 Exploitation" - }, - { - "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", - "meta": { - "author": "Bhabesh Raj, Florian Roth", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_22123_fortinet_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22123_fortinet_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", - "value": "Fortinet CVE-2021-22123 Exploitation" - }, - { - "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", - "meta": { - "author": "Florian Roth (Nextron Systems), Rich Warren", - "creation_date": "2021/08/07", - "falsepositive": [ - "Unknown" - ], - "filename": "web_exchange_proxyshell.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", - "value": "Exchange ProxyShell Pattern" - }, - { - "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", - "meta": { - "author": "Florian Roth (Nextron Systems), Rich Warren", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "web_exchange_proxyshell_successful.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml" - ], - "tags": [ - "attack.initial_access" - ] - }, - "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", - "value": "Successful Exchange ProxyShell Attack" - }, { "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", "meta": { @@ -85459,8 +81617,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -85480,403 +81638,6 @@ "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", "value": "Webshell ReGeorg Detection Via Web Logs" }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/10", - "falsepositive": [ - "Vulnerability scanning" - ], - "filename": "web_cve_2021_44228_log4j.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://news.ycombinator.com/item?id=29504755", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", - "value": "Log4j RCE CVE-2021-44228 Generic" - }, - { - "description": "Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/20", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_44877_exploitation_attempt.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/", - "https://seclists.org/fulldisclosure/2023/Jan/1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.44877" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1b2eeb27-949b-4704-8bfa-d8e5cfa045a1", - "value": "Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877" - }, - { - "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/05/26", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_3398_confluence.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", - "value": "Confluence Exploitation CVE-2019-3398" - }, - { - "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", - "meta": { - "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", - "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" - }, - { - "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://www.tenable.com/security/research/tra-2021-13", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.20090", - "cve.2021.20091" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", - "value": "Arcadyan Router Exploitations" - }, - { - "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/25", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_28188_terramaster_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.28188" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", - "value": "TerraMaster TOS CVE-2020-28188" - }, - { - "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", - "meta": { - "author": "Bhabesh Raj, Tim Shelton", - "creation_date": "2020/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_10148_solarwinds_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://kb.cert.org/vuls/id/843464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_10148_solarwinds_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", - "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" - }, - { - "description": "Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.", - "meta": { - "author": "Isa Almannaei", - "creation_date": "2023/02/13", - "falsepositive": [ - "Vulnerability Scanners" - ], - "filename": "web_cve_2022_21587_oracle_ebs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/", - "https://github.com/hieuminhnv/CVE-2022-21587-POC", - "https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/", - "https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_21587_oracle_ebs.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.21587" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d033cb8a-8669-4a8e-a974-48d4185a8503", - "value": "Potential CVE-2022-21587 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/09/24", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_22005_vmware_file_upload.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", - "https://kb.vmware.com/s/article/85717", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22005_vmware_file_upload.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", - "value": "VMware vCenter Server File Upload CVE-2021-22005" - }, - { - "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", - "meta": { - "author": "daffainfo, Florian Roth", - "creation_date": "2021/10/05", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_41773_apache_path_traversal.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_41773_apache_path_traversal.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", - "value": "CVE-2021-41773 Exploitation Attempt" - }, - { - "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2014_6287_hfs_rce.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.exploit-db.com/exploits/39161", - "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.t1505.003", - "cve.2014.6287" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", - "value": "Rejetto HTTP File Server RCE" - }, { "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", "meta": { @@ -85890,9 +81651,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.exploit-db.com/exploits/19525", - "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -85912,128 +81673,6 @@ "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", "value": "Successful IIS Shortname Fuzzing Scan" }, - { - "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/12", - "falsepositive": [ - "Vulnerability scanners" - ], - "filename": "web_cve_2022_31656_auth_bypass.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", - "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" - }, - { - "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/01/07", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/aboul3la/status/1286012324722155525", - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.3452" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", - "value": "Cisco ASA FTD Exploit CVE-2020-3452" - }, - { - "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", - "meta": { - "author": "Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)", - "creation_date": "2021/09/20", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_40539_adselfservice.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml" - ], - "tags": "No established tags" - }, - "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", - "value": "ADSelfService Exploitation" - }, - { - "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/02/29", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_0688_msexchange.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", - "value": "CVE-2020-0688 Exchange Exploitation via Web Log" - }, { "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", "meta": { @@ -86068,76 +81707,6 @@ "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", "value": "Suspicious Windows Strings In URI" }, - { - "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", - "meta": { - "author": "Arnim Rupp, Florian Roth", - "creation_date": "2020/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_19781_citrix_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://support.citrix.com/article/CTX267027", - "https://isc.sans.edu/diary/25686", - "https://support.citrix.com/article/CTX267679", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_19781_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", - "value": "Citrix Netscaler Attack CVE-2019-19781" - }, - { - "description": "Detects CVE-2020-0688 Exploitation attempts", - "meta": { - "author": "NVISO", - "creation_date": "2020/02/27", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_0688_exchange_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/Ridter/cve-2020-0688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_0688_exchange_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", - "value": "CVE-2020-0688 Exploitation Attempt" - }, { "description": "Detects SSTI attempts sent via GET requests in access logs", "meta": { @@ -86152,8 +81721,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/ssti-payloads", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": "No established tags" @@ -86161,71 +81730,6 @@ "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", "value": "Server Side Template Injection Strings" }, - { - "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", - "meta": { - "author": "frack113", - "creation_date": "2021/08/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "web_cve_2021_26858_iis_rce.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml" - ], - "tags": "No established tags" - }, - "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", - "value": "ProxyLogon Reset Virtual Directories Based On IIS Log" - }, - { - "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", - "meta": { - "author": "Sittikorn S, Nuttakorn Tungpoonsup", - "creation_date": "2021/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", - "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" - }, { "description": "Detects suspicious user agent strings used in APT malware in proxy logs", "meta": { @@ -86260,19 +81764,20 @@ "value": "APT User Agent" }, { - "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", + "description": "Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Brian Ingram (update)", "creation_date": "2022/07/08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_susp_base64.yml", - "level": "high", + "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -86290,7 +81795,7 @@ } ], "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", - "value": "Suspicious Base64 User Agent" + "value": "Potential Base64 Encoded User-Agent" }, { "description": "Detects user agent and URI paths used by empire agents", @@ -86452,9 +81957,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -86664,9 +82169,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -86757,14 +82262,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", - "https://twitter.com/crep1x/status/1635034100213112833", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://twitter.com/crep1x/status/1635034100213112833", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://perishablepress.com/blacklist/ua-2013.txt", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -86797,9 +82302,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://blog.talosintelligence.com/ipfs-abuse/", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -86875,8 +82380,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -86909,8 +82414,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -87182,6 +82687,39 @@ "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "value": "Advanced IP/Port Scanner Update Check" }, + { + "description": "Detects suspicious encoded User-Agent strings, as seen used by some malware.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/05/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_base64_encoded.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_base64_encoded.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d443095b-a221-4957-a2c4-cd1756c9b747", + "value": "Suspicious Base64 Encoded User-Agent" + }, { "description": "Detects download of certain file types from hosts in suspicious TLDs", "meta": { @@ -87195,9 +82733,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.spamhaus.org/statistics/tlds/", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], @@ -87457,8 +82995,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -87872,8 +83410,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/osacompile.html", "https://redcanary.com/blog/applescript/", + "https://ss64.com/osx/osacompile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -87906,9 +83444,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", - "https://ss64.com/osx/dscl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/dscl.html", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml" ], "tags": [ @@ -88051,8 +83589,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -88403,9 +83941,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/truncate", "https://linux.die.net/man/1/dd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -88695,9 +84233,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -89131,9 +84669,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -89325,8 +84863,8 @@ "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -89391,8 +84929,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -89575,8 +85113,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -89617,8 +85155,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -89806,8 +85344,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -89873,9 +85411,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://linux.die.net/man/8/insmod", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -89943,9 +85481,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://objective-see.org/blog/blog_0x68.html", - "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://www.glitch-cat.com/p/green-lambert-and-attack", + "https://objective-see.org/blog/blog_0x68.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -89978,8 +85516,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://imagemagick.org/", "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], @@ -90080,10 +85618,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -90592,8 +86130,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -90767,8 +86305,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://linux.die.net/man/1/xwd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -90834,10 +86372,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -90938,9 +86476,9 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -91047,9 +86585,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -91082,9 +86620,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -91387,9 +86925,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://linux.die.net/man/8/useradd", - "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -91430,8 +86968,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -91555,8 +87093,8 @@ "logsource.product": "linux", "refs": [ "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], @@ -91822,8 +87360,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -91857,8 +87395,8 @@ "logsource.product": "linux", "refs": [ "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -92089,8 +87627,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -92123,8 +87661,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -92234,8 +87772,8 @@ "logsource.product": "linux", "refs": [ "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -92400,9 +87938,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -92555,10 +88093,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sysdig.com/blog/mitre-defense-evasion-falco", - "https://linuxhint.com/uninstall_yum_package/", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall-debian-packages/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", + "https://linuxhint.com/uninstall_yum_package/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -92666,8 +88204,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -92733,9 +88271,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -92859,7 +88397,7 @@ { "description": "Detects a suspicious curl process start the adds a file to a web request", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)", "creation_date": "2022/09/15", "falsepositive": [ "Scripts created by developers and admins" @@ -92870,9 +88408,9 @@ "logsource.product": "linux", "refs": [ "https://curl.se/docs/manpage.html", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], @@ -92972,10 +88510,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linux.die.net/man/8/userdel", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/userdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -93062,8 +88600,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -93230,8 +88768,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -93355,8 +88893,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -93422,8 +88960,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -93456,8 +88994,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -93514,8 +89052,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -93632,10 +89170,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/groupdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://linux.die.net/man/8/groupdel", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -93702,9 +89240,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", "https://github.com/diego-treitos/linux-smart-enumeration", - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -93804,8 +89342,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -93896,8 +89434,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -94085,8 +89623,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -94137,11 +89675,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.infosecademy.com/netcat-reverse-shells/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.revshells.com/", + "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -94286,10 +89824,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "Internal Research", - "https://github.com/pathtofile/bad-bpf", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/Gui774ume/ebpfkit", + "Internal Research", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/pathtofile/bad-bpf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -94312,9 +89850,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://bpftrace.org/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", - "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -94371,9 +89909,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -94406,8 +89944,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -94440,8 +89978,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -94574,8 +90112,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -94722,5 +90260,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230430 + "version": 20230511 }