diff --git a/README.md b/README.md index 4c4b66c..dc775e7 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ The objective is to have a comment set of clusters for organizations starting an to localized information (which is not shared) or additional information (that can be shared). # Available Galaxy - clusters + ## 360.net Threat Actors [360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net. @@ -148,7 +149,7 @@ Category: *tool* - source: *MISP Project* - total: *52* elements ## FIRST DNS Abuse Techniques Matrix -[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for Tmore information. +[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information. Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements @@ -382,7 +383,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar -Category: *tool* - source: *Various* - total: *1624* elements +Category: *tool* - source: *Various* - total: *1649* elements [[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] @@ -422,7 +423,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2665* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2696* elements [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] @@ -446,7 +447,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total: [Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer. -Category: *tool* - source: *Open Sources* - total: *11* elements +Category: *tool* - source: *Open Sources* - total: *12* elements [[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] @@ -470,7 +471,7 @@ Category: *target* - source: *Various* - total: *240* elements [TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries -Category: *tool* - source: *MISP Project* - total: *10* elements +Category: *tool* - source: *MISP Project* - total: *11* elements [[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)] @@ -486,7 +487,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *408* elements +Category: *actor* - source: *MISP Project* - total: *418* elements [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] @@ -494,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *408* elements [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. -Category: *tool* - source: *MISP Project* - total: *545* elements +Category: *tool* - source: *MISP Project* - total: *549* elements [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] diff --git a/clusters/botnet.json b/clusters/botnet.json index dad5596..c8619b4 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1402,7 +1402,27 @@ }, "uuid": "b6919400-9b16-48ae-8379-fab26a506e32", "value": "KmsdBot" + }, + { + "description": "Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.", + "meta": { + "refs": [ + "https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet", + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot" + ] + }, + "related": [ + { + "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "040f2e89-b8be-4150-9426-c30f75e858a2", + "value": "HinataBot" } ], - "version": 30 + "version": 31 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 1d71abc..a9a9a34 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -20413,11 +20413,6 @@ "uuid": "ce5eb940-5fd6-4d2f-bfa8-2191ae3e4239", "value": "CTF" }, - { - "description": "Ransomware", - "uuid": "2a95f6b9-3ce7-40b9-bda8-0832e0d9d07f", - "value": "Cuba" - }, { "description": "Ransomware", "uuid": "ed087a5a-41f7-4997-9701-ef46c984d89d", diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 456e59b..e902ca3 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -215,8 +215,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -273,10 +273,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -458,8 +458,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://zeltser.com/c2-dns-tunneling/", "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://zeltser.com/c2-dns-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -1546,10 +1546,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1658,8 +1658,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/OTRF/detection-hackathon-apt29", + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -1726,8 +1726,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -1927,9 +1927,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", - "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", + "https://github.com/Maka8ka/NGLite", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1986,9 +1986,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -2106,12 +2106,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/corelight/CVE-2021-1675", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/corelight/CVE-2021-1675", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -2243,9 +2243,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tools.ietf.org/html/rfc2929#section-2.1", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], @@ -2387,8 +2387,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -2556,8 +2556,8 @@ "logsource.product": "jvm", "refs": [ "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://rules.sonarsource.com/java/RSPEC-2755", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -2590,8 +2590,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -2657,9 +2657,9 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://guides.rubyonrails.org/action_controller_overview.html", - "http://edgeguides.rubyonrails.org/security.html", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://edgeguides.rubyonrails.org/security.html", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], @@ -2693,10 +2693,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2730,9 +2730,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2755,10 +2755,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2817,10 +2817,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2862,9 +2862,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2897,8 +2897,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ @@ -2921,10 +2921,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -3008,10 +3008,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -3052,12 +3052,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -3080,10 +3080,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -3115,10 +3115,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -3141,10 +3141,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -3168,9 +3168,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -3204,8 +3204,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], @@ -3229,10 +3229,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -3323,11 +3323,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -3542,8 +3542,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], @@ -3799,8 +3799,8 @@ "logsource.product": "windows", "refs": [ "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], @@ -3828,17 +3828,17 @@ "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "creation_date": "2017/02/16", "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason; please add more filters" + "Likely" ], "filename": "proc_access_win_cred_dump_lsass_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3873,11 +3873,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3904,18 +3904,18 @@ "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/11/22", "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" + "Legitimate software such as AV and EDR" ], "filename": "proc_access_win_susp_proc_access_lsass.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -4167,9 +4167,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/", - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -4245,8 +4245,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], @@ -4361,8 +4361,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -4395,8 +4395,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -4429,8 +4429,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -4464,8 +4464,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -4556,11 +4556,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://github.com/SigmaHQ/sigma/issues/253", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -4594,8 +4594,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/groups/G0010/", "Internal Research", + "https://attack.mitre.org/groups/G0010/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4629,8 +4629,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" ], "tags": [ @@ -4752,8 +4752,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -4786,8 +4786,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4821,8 +4821,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4898,18 +4898,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4943,8 +4943,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4979,8 +4979,8 @@ "logsource.product": "windows", "refs": [ "https://o365blog.com/post/adfs/", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -5404,44 +5404,6 @@ "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "value": "Addition of SID History to Active Directory Object" }, - { - "description": "Detects failed logins with multiple accounts from a single process on the system.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_process.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", - "value": "Multiple Users Failing to Authenticate from Single Process" - }, { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "meta": { @@ -5456,8 +5418,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -5491,9 +5453,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -5526,8 +5488,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -5552,10 +5514,10 @@ { "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "meta": { - "author": "Connor Martin, Nasreddine Bencherchali", + "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/23", "falsepositive": [ - "Unknown" + "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], "filename": "win_security_service_install_remote_access_software.yml", "level": "medium", @@ -5735,9 +5697,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5745,43 +5707,6 @@ "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", "value": "User with Privileges Logon" }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source_ntlm2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", - "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM" - }, { "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", "meta": { @@ -5829,8 +5754,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5940,44 +5865,6 @@ "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", "value": "Metasploit SMB Authentication" }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", - "meta": { - "author": "Mauricio Velazco, frack113", - "creation_date": "2021/06/01", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "filename": "win_security_susp_failed_logons_single_source_kerberos3.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", - "value": "Invalid Users Failing To Authenticate From Source Using Kerberos" - }, { "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", "meta": { @@ -6014,11 +5901,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler/issues/47", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/sensepost/ruler", + "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -6108,9 +5995,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -6304,8 +6191,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], @@ -6359,9 +6246,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -6394,9 +6281,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -6536,8 +6423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -6604,9 +6491,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6864,15 +6751,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -7000,9 +6887,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -7144,8 +7031,8 @@ "logsource.product": "windows", "refs": [ "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -7201,7 +7088,7 @@ { "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", "meta": { - "author": "Micah Babinski, @micahbabinski", + "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", "creation_date": "2023/01/19", "falsepositive": [ "Legitimate or intentional inbound connections from public IP addresses on the SMB port." @@ -7211,8 +7098,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -7553,6 +7440,31 @@ "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, + { + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "meta": { + "author": "Robert Lee @quantum_cookie", + "creation_date": "2023/03/16", + "falsepositive": [ + "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM" + ], + "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml" + ], + "tags": [ + "attack.credential_access", + "attack.initial_access", + "cve.2023.23397" + ] + }, + "uuid": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c", + "value": "CVE-2023-23397 Exploitation Attempt" + }, { "description": "Detection of logins performed with WMI", "meta": { @@ -7586,67 +7498,6 @@ "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", "value": "Login with WMI" }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_apt_chafer_mar18_security.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", - "value": "Chafer Activity - Security" - }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { @@ -8053,10 +7904,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -8157,10 +8008,10 @@ "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019/08/10", "falsepositive": [ - "Unknown" + "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", - "level": "high", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ @@ -8369,9 +8220,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -8404,8 +8255,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -8557,8 +8408,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -8733,8 +8584,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -8896,8 +8747,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -9128,9 +8979,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -9139,44 +8990,6 @@ "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", "value": "Locked Workstation" }, - { - "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", - "meta": { - "author": "Mauricio Velazco, frack113", - "creation_date": "2021/06/01", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "filename": "win_security_susp_failed_logons_single_source_kerberos.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", - "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos" - }, { "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "meta": { @@ -9190,16 +9003,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://twitter.com/_xpn_/status/1268712093928378368", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -9403,8 +9216,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -9427,7 +9240,7 @@ { "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", "meta": { - "author": "Micah Babinski, @micahbabinski", + "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", "creation_date": "2023/01/19", "falsepositive": [ "Legitimate or intentional inbound connections from public IP addresses on the RDP port." @@ -9437,8 +9250,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -9555,8 +9368,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", "https://adsecurity.org/?p=2053", + "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -9684,8 +9497,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -9752,8 +9565,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -9819,9 +9632,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -9923,9 +9736,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -9958,8 +9771,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -9993,9 +9806,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -10102,8 +9915,8 @@ "refs": [ "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -10124,81 +9937,6 @@ "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "value": "Mimikatz DC Sync" }, - { - "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", - "meta": { - "author": "Mauricio Velazco, frack113", - "creation_date": "2021/06/01", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "filename": "win_security_susp_failed_logons_single_source_kerberos2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", - "value": "Disabled Users Failing To Authenticate From Source Using Kerberos" - }, - { - "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source_ntlm.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", - "value": "Valid Users Failing to Authenticate from Single Source Using NTLM" - }, { "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "meta": { @@ -10316,9 +10054,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -10426,6 +10164,67 @@ "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "value": "Admin User Remote Logon" }, + { + "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", + "meta": { + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_apt_oilrig_mar18.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_oilrig_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "value": "OilRig APT Schedule Task Persistence - Security" + }, { "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", "meta": { @@ -10617,8 +10416,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -10750,8 +10549,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_restriction_policies_block.yml" ], "tags": [ @@ -10848,8 +10647,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -10872,9 +10671,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], "tags": [ @@ -10931,8 +10730,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -10987,8 +10786,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -11030,8 +10829,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -11090,10 +10889,10 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -11204,8 +11003,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -11251,9 +11050,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -11374,8 +11173,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -11432,8 +11231,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -11523,9 +11322,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -11581,11 +11380,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -11618,9 +11417,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/afwu/PrintNightmare", - "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -11688,9 +11487,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11765,15 +11564,16 @@ "author": "Ján Trenčanský, frack113", "creation_date": "2020/07/28", "falsepositive": [ - "Administrator actions (should be investigated)" + "Administrator actions (should be investigated)", + "Seen being triggered occasionally during Windows 8 Defender Updates" ], "filename": "win_defender_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -12107,9 +11907,9 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], "tags": [ @@ -12279,9 +12079,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -12315,8 +12115,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -12350,8 +12150,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -12384,9 +12184,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12948,9 +12748,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -13034,8 +12834,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -13144,8 +12944,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -13320,8 +13120,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" ], "tags": [ @@ -13637,8 +13437,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" ], "tags": [ @@ -13696,8 +13496,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" ], "tags": [ @@ -13838,9 +13638,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -13908,8 +13708,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -13944,8 +13744,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -14263,67 +14063,6 @@ "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "value": "Tap Driver Installation" }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_apt_chafer_mar18_system.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", - "value": "Chafer Activity - System" - }, { "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", "meta": { @@ -14516,6 +14255,67 @@ "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "value": "Local Privilege Escalation Indicator TabTip" }, + { + "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", + "meta": { + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_apt_oilrig_mar18.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_oilrig_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "value": "OilRig APT Schedule Task Persistence - System" + }, { "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", "meta": { @@ -14562,8 +14362,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" ], "tags": [ @@ -14846,8 +14646,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -15047,9 +14847,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -15120,11 +14920,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -15173,9 +14973,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], @@ -15199,9 +14999,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], @@ -15225,9 +15025,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], @@ -15251,9 +15051,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], @@ -15614,8 +15414,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -15952,8 +15752,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], @@ -15989,9 +15789,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -16059,8 +15859,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -16094,9 +15894,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -16164,8 +15964,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -16198,8 +15998,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -16219,6 +16019,39 @@ "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "value": "New DLL Added to AppCertDlls Registry Key" }, + { + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "meta": { + "author": "Hieu Tran", + "creation_date": "2023/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_malware_qakbot_registry.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1c8e96cd-2bed-487d-9de0-b46c90cade56", + "value": "Potential Qakbot Registry Activity" + }, { "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", "meta": { @@ -16438,8 +16271,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -16604,6 +16437,67 @@ "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", "value": "Narrator's Feedback-Hub Persistence" }, + { + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "meta": { + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_event_apt_oilrig_mar18.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "value": "OilRig APT Registry Persistence" + }, { "description": "Detects the presence of a registry key created during Azorult execution", "meta": { @@ -16720,8 +16614,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -16895,10 +16789,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -17027,67 +16921,6 @@ "uuid": "8b9606c9-28be-4a38-b146-0e313cc232c1", "value": "Potential Ransomware Activity Using LegalNotice Message" }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_apt_chafer_mar18.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "value": "Chafer Activity - Registry" - }, { "description": "Detects Pandemic Windows Implant", "meta": { @@ -17136,8 +16969,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -17211,8 +17044,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -17311,11 +17144,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -17348,8 +17181,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" ], "tags": [ @@ -17415,8 +17248,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17473,10 +17306,10 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], @@ -17543,8 +17376,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -17676,8 +17509,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "https://twitter.com/Hexacorn/status/991447379864932352", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], @@ -17744,8 +17577,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -17778,8 +17611,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -17855,8 +17688,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -17953,8 +17786,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -18054,11 +17887,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", - "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -18151,13 +17984,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -18339,8 +18172,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/47696", "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -18448,9 +18281,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -18705,9 +18538,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", - "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", + "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -18740,8 +18573,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -18848,9 +18681,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -18953,8 +18786,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -19100,7 +18933,7 @@ { "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", "meta": { - "author": "frack113, Nasreddine Bencherchali", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/04", "falsepositive": [ "Legitimate administrators disabling specific event log for troubleshooting" @@ -19178,8 +19011,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -19220,8 +19053,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -19324,8 +19157,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -19405,8 +19238,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" ], "tags": [ @@ -19715,13 +19548,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -19893,8 +19726,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -19944,8 +19777,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -20413,10 +20246,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20449,8 +20282,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -20483,8 +20316,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -20731,9 +20564,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.defense_evasion", + "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", "value": "Winlogon AllowMultipleTSSessions Enable" }, @@ -20783,8 +20627,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -20817,8 +20661,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -20946,8 +20790,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -21039,8 +20883,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -21166,8 +21010,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], @@ -21202,8 +21046,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -21278,9 +21122,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -21379,9 +21223,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.sans.org/cyber-security-summit/archives", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21508,8 +21352,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -21770,8 +21614,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -21804,8 +21648,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -21838,9 +21682,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/VakninHai/status/1517027824984547329", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -21906,8 +21750,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/autodialdll.html", "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -21964,8 +21808,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -22069,8 +21913,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -22101,8 +21945,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -22143,8 +21987,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -22246,9 +22090,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -22271,9 +22115,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://github.com/elastic/detection-rules/issues/1371", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], @@ -22348,16 +22192,27 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1626648985824788480", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.defense_evasion", + "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "value": "Potential Persistence Via Event Viewer Events.asp" }, @@ -22407,9 +22262,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -22432,17 +22287,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -22586,9 +22441,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -22656,8 +22511,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], @@ -22714,8 +22569,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -22739,8 +22594,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -22808,9 +22663,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -22845,8 +22700,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], @@ -22880,8 +22735,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_svchost_dlls.yml" ], "tags": [ @@ -22925,8 +22780,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -22961,8 +22816,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -23195,8 +23050,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://twitter.com/wdormann/status/1547583317410607110", + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -23217,6 +23072,91 @@ "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", "value": "UAC Bypass Using Iscsicpl - ImageLoad" }, + { + "description": "Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform", + "meta": { + "author": "X__Junior", + "creation_date": "2023/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_wazuh.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", + "value": "Potential Wazuh Security Platform DLL Sideloading" + }, + { + "description": "Detects potential DLL sideloading of rcdll.dll", + "meta": { + "author": "X__Junior", + "creation_date": "2023/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_rcdll.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rcdll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6e78b74f-c762-4800-82ad-f66787f10c8a", + "value": "Potential Rcdll.DLL Sideloading" + }, { "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "meta": { @@ -23305,8 +23245,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_drawing_load.yml" ], "tags": [ @@ -23326,6 +23266,42 @@ "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", "value": "System Drawing DLL Load" }, + { + "description": "Detects loading of Amsi.dll by uncommon processes", + "meta": { + "author": "frack113", + "creation_date": "2023/03/12", + "falsepositive": [ + "Likely" + ], + "filename": "image_load_dll_amsi_uncommon_process.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9", + "https://github.com/TheD1rkMtr/AMSI_patch", + "https://github.com/surya-dev-singh/AmsiBypass-OpenSession", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "facd1549-e416-48e0-b8c4-41d7215eedc8", + "value": "Amsi.DLL Load By Uncommon Process" + }, { "description": "Detects WMI command line event consumers", "meta": { @@ -23415,12 +23391,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -23502,7 +23478,7 @@ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbgcore_dll.yml", - "level": "medium", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -23549,8 +23525,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -23697,7 +23673,7 @@ "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "filename": "image_load_side_load_from_non_system_location.yml", - "level": "medium", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -23778,7 +23754,7 @@ "Unknown" ], "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml", - "level": "medium", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -23825,8 +23801,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -23891,39 +23867,6 @@ "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "value": "Potential Antivirus Software DLL Sideloading" }, - { - "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", - "meta": { - "author": "frack113", - "creation_date": "2022/02/03", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_side_load_advapi32.yml", - "level": "informational", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/hlldz/Phant0m", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_advapi32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "related": [ - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", - "value": "Suspicious Load of Advapi31.dll" - }, { "description": "Detects any assembly DLL being loaded by an Office Product", "meta": { @@ -24088,8 +24031,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.py2exe.org/", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ @@ -24122,10 +24065,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/tyranid/DotNetToJScript", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -24147,7 +24090,7 @@ "value": "DotNet CLR DLL Loaded By Scripting Applications" }, { - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", "meta": { "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "creation_date": "2019/10/27", @@ -24159,9 +24102,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml" ], "tags": [ @@ -24301,7 +24244,7 @@ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbghelp_dll.yml", - "level": "medium", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -24679,8 +24622,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -24710,6 +24653,48 @@ "uuid": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "value": "DLL Sideloading Of ShellChromeAPI.DLL" }, + { + "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", + "meta": { + "author": "X__Junior", + "creation_date": "2023/03/21", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_iviewers.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.secureworks.com/research/shadowpad-malware-analysis", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_iviewers.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4c21b805-4dd7-469f-b47d-7383a8fcb437", + "value": "Potential Iviewers.DLL Sideloading" + }, { "description": "Detects the image load of VSS DLL by uncommon executables", "meta": { @@ -24899,7 +24884,7 @@ "Unlikely" ], "filename": "image_load_side_load_office_dlls.yml", - "level": "medium", + "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ @@ -24979,9 +24964,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -25048,9 +25033,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -25166,8 +25151,8 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], @@ -25201,8 +25186,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -25492,8 +25477,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -25801,9 +25786,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -25836,8 +25821,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], @@ -25863,8 +25848,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -26081,8 +26066,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -26190,21 +26175,21 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/calebstewart/CVE-2021-1675", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/calebstewart/CVE-2021-1675", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -26569,23 +26554,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/besimorhino/powercat", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -26799,8 +26784,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -27065,8 +27050,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -27241,8 +27226,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -27375,8 +27360,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -27527,10 +27512,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -27672,9 +27657,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -27743,8 +27728,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -27910,11 +27895,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "http://woshub.com/manage-windows-firewall-powershell/", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://woshub.com/manage-windows-firewall-powershell/", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -28037,8 +28022,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -28104,9 +28089,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], @@ -28325,8 +28310,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -28402,8 +28387,8 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2604", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -28752,8 +28737,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -28909,8 +28894,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -29177,8 +29162,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], @@ -29204,8 +29189,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -29273,8 +29258,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -29307,8 +29292,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -29492,9 +29477,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -29625,8 +29610,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -29737,8 +29722,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -29847,8 +29832,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -29915,8 +29900,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -29982,8 +29967,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -30050,8 +30035,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -30142,8 +30127,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -30263,9 +30248,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -30333,8 +30318,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -30400,8 +30385,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -30535,8 +30520,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -30604,8 +30589,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -30638,8 +30623,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -30848,10 +30833,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -30917,8 +30902,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], @@ -31009,8 +30994,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -31185,8 +31170,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" ], "tags": [ @@ -31285,10 +31270,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -31422,8 +31407,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -31485,21 +31470,21 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/calebstewart/CVE-2021-1675", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/calebstewart/CVE-2021-1675", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -31631,9 +31616,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.shellhacks.com/clear-history-powershell/", - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -31782,8 +31767,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -31945,8 +31930,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -32046,8 +32031,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -32081,8 +32066,8 @@ "logsource.product": "windows", "refs": [ "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -32215,8 +32200,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -32465,8 +32450,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" ], "tags": [ @@ -32675,9 +32660,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -32757,7 +32742,7 @@ "value": "CACTUSTORCH Remote Thread Creation" }, { - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", "meta": { "author": "Perez Diego (@darkquassar), oscd.community", "creation_date": "2019/10/27", @@ -32769,8 +32754,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -32792,7 +32777,7 @@ "value": "Suspicious Remote Thread Source" }, { - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/25", @@ -33040,11 +33025,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://github.com/fengjixuchui/gdrv-loader", + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -33111,18 +33096,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/stong/CVE-2020-15368", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/jbaines-r7/dellicious", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://github.com/namazso/physmem_drivers", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -33230,8 +33215,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://reqrypt.org/windivert-doc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -33273,22 +33258,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/stong/CVE-2020-15368", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://github.com/tandasat/ExploitCapcom", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", "https://github.com/jbaines-r7/dellicious", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/tandasat/ExploitCapcom", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/namazso/physmem_drivers", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -33447,8 +33432,8 @@ "logsource.product": "windows", "refs": [ "https://systeminformer.sourceforge.io/", - "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], "tags": [ @@ -33516,8 +33501,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -33587,8 +33572,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -33630,8 +33615,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -33700,9 +33685,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://content.fireeye.com/apt-41/rpt-apt41", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -33935,8 +33920,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -34175,8 +34160,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -34209,10 +34194,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/1032799638213066752", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -34245,8 +34230,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -34553,8 +34538,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -34587,8 +34572,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/kleiton0x00/RedditC2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" ], @@ -34622,8 +34607,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -34656,8 +34641,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -34788,8 +34773,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -34876,6 +34861,29 @@ "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "value": "Msiexec Initiated Connection" }, + { + "description": "Detects PowerShell creating a binary executable or script file.", + "meta": { + "author": "frack113", + "creation_date": "2023/03/17", + "falsepositive": [ + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + ], + "filename": "file_event_win_powershell_drop_binary.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_binary.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "7047d730-036f-4f40-b9d8-1c63e36d5e62", + "value": "Potential Binary Or Script Dropper Via PowerShell.EXE" + }, { "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", "meta": { @@ -34889,8 +34897,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -34931,8 +34939,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -34957,8 +34965,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", "https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign", + "https://twitter.com/DrunkBinary/status/1063075530180886529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml" ], "tags": [ @@ -34991,10 +34999,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/FireFart/hivenightmare/", - "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -35028,8 +35036,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], @@ -35083,8 +35091,8 @@ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -35150,8 +35158,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -35360,12 +35368,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", - "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -35388,8 +35396,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -35450,8 +35458,8 @@ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -35728,8 +35736,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -35765,8 +35773,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -35789,10 +35797,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -35860,8 +35868,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -35904,8 +35912,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -36262,11 +36270,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -36333,23 +36341,23 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/besimorhino/powercat", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -36382,9 +36390,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -36600,8 +36608,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -36891,8 +36899,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -36925,8 +36933,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" ], "tags": [ @@ -36961,8 +36969,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -37030,10 +37038,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -37066,8 +37074,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], @@ -37102,8 +37110,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -37127,9 +37135,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -37160,8 +37168,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -37202,8 +37210,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -37270,8 +37278,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" ], "tags": [ @@ -37359,7 +37367,7 @@ "value": "Mimikatz Kirbi File Creation" }, { - "description": "Detects the creation of the default output filename used by the wmicexec tool", + "description": "Detects the creation of the default output filename used by the wmiexec tool", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/02", @@ -37371,6 +37379,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], @@ -37521,8 +37530,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ @@ -37555,8 +37564,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -37690,9 +37699,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], @@ -37726,9 +37735,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -37785,8 +37794,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -37876,8 +37885,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -37944,11 +37953,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/FireFart/hivenightmare", - "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/search?q=CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/FireFart/hivenightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -38514,8 +38523,8 @@ "refs": [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -38638,9 +38647,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -38795,8 +38804,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ @@ -38971,8 +38980,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ @@ -39239,12 +39248,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -39499,8 +39508,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -39533,8 +39542,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", "https://twitter.com/ffforward/status/1481672378639912960", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" ], "tags": "No established tags" @@ -39758,8 +39767,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -39793,8 +39802,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://linuxhint.com/view-tomcat-logs-windows/", "Internal Research", + "https://linuxhint.com/view-tomcat-logs-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ @@ -40030,8 +40039,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -40130,8 +40139,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -40230,9 +40239,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], @@ -40266,8 +40275,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -40476,9 +40485,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", "https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations", "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", - "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml" ], "tags": [ @@ -40544,8 +40553,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], "tags": [ @@ -40598,40 +40607,6 @@ "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", "value": "Suspicious Subsystem for Linux Bash Execution" }, - { - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "meta": { - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", - "creation_date": "2020/03/04", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_mmc20_lateral_movement.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" - ], - "tags": [ - "attack.execution", - "attack.t1021.003" - ] - }, - "related": [ - { - "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "value": "MMC20 Lateral Movement" - }, { "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "meta": { @@ -40702,9 +40677,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" ], "tags": [ @@ -40805,8 +40780,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -40872,8 +40847,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -40894,20 +40869,48 @@ "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, { - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/04/15", + "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", + "creation_date": "2022/06/02", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_control_dll_load.yml", + "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444", + "https://twitter.com/sbousseaden/status/1531653369546301440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", + "value": "Potential Exploitation Attempt From Office Application" + }, + { + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "meta": { + "author": "Wojciech Lesicki", + "creation_date": "2021/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cobaltstrike.com/help-windows-executable", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/threat-detection-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ "attack.defense_evasion", @@ -40923,41 +40926,32 @@ "type": "related-to" } ], - "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "value": "Suspicious Control Panel DLL Load" + "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "value": "CobaltStrike Load by Rundll32" }, { - "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", "meta": { "author": "frack113", - "creation_date": "2021/12/13", + "creation_date": "2022/01/23", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_dir.yml", - "level": "low", + "filename": "proc_creation_win_instalutil_no_log_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dir.yml" + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ - "attack.discovery", - "attack.t1217" + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", - "value": "Suspicious DIR Execution" + "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", + "value": "Suspicious Execution of InstallUtil Without Log" }, { "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", @@ -40973,11 +40967,11 @@ "logsource.product": "windows", "refs": [ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -41034,11 +41028,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://securelist.com/my-name-is-dtrack/93338/", "https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -41093,38 +41087,71 @@ "value": "WhoAmI as Parameter" }, { - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", + "creation_date": "2021/07/14", "falsepositive": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + "Unlikely" ], - "filename": "proc_creation_win_screenconnect_anomaly.yml", - "level": "high", + "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_35211_servu.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" ] }, "related": [ { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", - "value": "ScreenConnect Backstage Mode Anomaly" + "uuid": "75578840-9526-4b2a-9462-af469a45e767", + "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" + }, + { + "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" + ], + "filename": "proc_creation_win_taskkill_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_execution.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", + "value": "Suspicious Execution of Taskkill" }, { "description": "Execution of well known tools for data exfiltration and tunneling", @@ -41188,8 +41215,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -41209,6 +41236,39 @@ "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "value": "CL_LoadAssembly.ps1 Proxy Execution" }, + { + "description": "Detects suspicious parent process for cmd.exe", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_unusual_parent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", + "value": "Unusual Parent Process For Cmd.EXE" + }, { "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", "meta": { @@ -41253,102 +41313,113 @@ "value": "DNS RCE CVE-2020-1350" }, { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/07", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" ], - "filename": "proc_creation_win_ntfs_short_name_path_use_image.yml", + "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" ] }, "related": [ { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", - "value": "Use Short Name Path in Image" + "uuid": "15619216-e993-4721-b590-4c520615a67d", + "value": "Potential Meterpreter/CobaltStrike Activity" }, { - "description": "Detects a Windows command line executable started from MMC", - "meta": { - "author": "Karneades, Swisscom CSIRT", - "creation_date": "2019/08/05", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_mmc_spawn_shell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.003" - ] - }, - "related": [ - { - "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "value": "MMC Spawning Windows Shell" - }, - { - "description": "Detects the creation of a process from Windows task manager", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/03/13", + "creation_date": "2022/05/20", "falsepositive": [ - "Administrative activity" + "Legitimate use of AnyDesk from a non-standard folder" ], - "filename": "proc_creation_win_susp_taskmgr_parent.yml", - "level": "low", + "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.command_and_control", + "attack.t1219" ] }, "related": [ { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", - "value": "Taskmgr as Parent" + "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "value": "Remote Access Tool - Anydesk Execution From Suspicious Folder" + }, + { + "description": "Detects commands that temporarily turn off Volume Snapshots", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/01/28", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_reg_volsnap_disable.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1354766164166115331", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "value": "Disabled Volume Snapshots" }, { "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", @@ -41418,39 +41489,6 @@ "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "value": "Dumping Process via Sqldumper.exe" }, - { - "description": "Use of reg to get MachineGuid information", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_machineguid.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", - "value": "Suspicious Query of MachineGUID" - }, { "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", "meta": { @@ -41485,47 +41523,28 @@ "value": "Use Icacls to Hide File to Everyone" }, { - "description": "Detect suspicious parent processes of well-known Windows processes", + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", "meta": { - "author": "vburov", - "creation_date": "2019/02/23", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/03", "falsepositive": [ - "Some security products seem to spawn these" + "Unknown" ], - "filename": "proc_creation_win_proc_wrong_parent.yml", - "level": "low", + "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036.005" + "attack.discovery" ] }, - "related": [ - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "96036718-71cc-4027-a538-d1587e0006a7", - "value": "Windows Processes Suspicious Parent Directory" + "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "value": "Obfuscated IP Via CLI" }, { "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", @@ -41563,8 +41582,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -41641,6 +41660,38 @@ "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, + { + "description": "Detects the stopping of a Windows service", + "meta": { + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/05", + "falsepositive": [ + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + ], + "filename": "proc_creation_win_sc_stop_service.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", + "value": "Stop Windows Service Via Sc.EXE" + }, { "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "meta": { @@ -41654,8 +41705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -41675,6 +41726,27 @@ "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "value": "Use of Wfc.exe" }, + { + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml" + ], + "tags": "No established tags" + }, + "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", + "value": "Suspicious SysAidServer Child" + }, { "description": "Detects the execution of whoami.exe with suspicious parent processes.", "meta": { @@ -41690,9 +41762,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -41748,7 +41820,7 @@ "value": "HackTool - SharpChisel Execution" }, { - "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "meta": { "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "creation_date": "2021/11/27", @@ -41760,9 +41832,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/Hexacorn/status/1420053502554951689", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -41788,7 +41860,7 @@ } ], "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "value": "Suspicious LSASS Process Clone" + "value": "Potential Credential Dumping Via LSASS Process Clone" }, { "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", @@ -41803,9 +41875,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], "tags": [ @@ -41827,63 +41899,37 @@ "value": "Suspicious Whoami.EXE Execution" }, { - "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "meta": { - "author": "Micah Babinski", - "creation_date": "2022/12/11", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/02/06", "falsepositive": [ - "Legitimate use of the tool by administrators or users to update metadata of a binary" + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], - "filename": "proc_creation_win_susp_rcedit_execution.yml", - "level": "medium", + "filename": "proc_creation_win_gup_suspicious_execution.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", - "https://github.com/electron/rcedit", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036", - "attack.t1027.005", - "attack.t1027" + "attack.t1574.002" ] }, "related": [ { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", - "value": "Potential PE Metadata Tamper Using Rcedit" + "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", + "value": "Suspicious GUP Usage" }, { "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", @@ -41899,13 +41945,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://ngrok.com/docs", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://twitter.com/xorJosh/status/1598646907802451969", + "https://ngrok.com/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -41925,116 +41971,6 @@ "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "value": "PUA - Ngrok Execution" }, - { - "description": "Detects AdFind execution with common flags seen used during attacks", - "meta": { - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", - "creation_date": "2021/02/02", - "falsepositive": [ - "Legitimate admin activity" - ], - "filename": "proc_creation_win_adfind_susp_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adfind_susp_usage.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" - ] - }, - "related": [ - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", - "value": "AdFind Suspicious Execution" - }, - { - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shellexec_rundll_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", - "value": "Suspicious Usage Of ShellExec_RunDLL" - }, - { - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/10", - "falsepositive": [ - "Other parent binaries using GUP not currently identified" - ], - "filename": "proc_creation_win_susp_gup_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1535322445439180803", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", - "value": "Execute Arbitrary Binaries Using GUP Utility" - }, { "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", "meta": { @@ -42048,8 +41984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -42069,6 +42005,40 @@ "uuid": "1e59c230-6670-45bf-83b0-98903780607e", "value": "Gpscript Execution" }, + { + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/06/07", + "falsepositive": [ + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + ], + "filename": "proc_creation_win_susp_archiver_iso_phishing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566" + ] + }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "value": "Phishing Pattern ISO in Archive" + }, { "description": "Detects nltest commands that can be used for information discovery", "meta": { @@ -42082,13 +42052,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -42116,6 +42086,54 @@ "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "value": "Potential Recon Activity Via Nltest.EXE" }, + { + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "meta": { + "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", + "creation_date": "2019/07/31", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/hFireF0X/status/897640081053364225", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "value": "CMSTP UAC Bypass via COM Object Access" + }, { "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { @@ -42152,48 +42170,6 @@ "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "value": "CMSTP Execution Process Creation" }, - { - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "meta": { - "author": "Sreeman, Nasreddine Bencherchali", - "creation_date": "2020/01/13", - "falsepositive": [ - "Administrative scripts (installers)" - ], - "filename": "proc_creation_win_cmd_curl_download_and_start_combo.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_and_start_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "value": "Suspicious Curl Download And Execute Combination" - }, { "description": "Detects WannaCry ransomware activity", "meta": { @@ -42299,25 +42275,24 @@ { "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { - "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "author": "Nasreddine Bencherchali", "creation_date": "2023/02/14", "falsepositive": [ - "Asset management software", - "During software installations" + "Unknown" ], "filename": "proc_creation_win_wmic_recon_product.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", + "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", + "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ "attack.execution", - "attack.t1047", - "car.2016-03-002" + "attack.t1047" ] }, "related": [ @@ -42329,7 +42304,7 @@ "type": "related-to" } ], - "uuid": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "uuid": "15434e33-5027-4914-88d5-3d4145ec25a9", "value": "Potential Product Reconnaissance Via Wmic.EXE" }, { @@ -42345,10 +42320,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/yellow-cockatoo/", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://zero2auto.com/2020/05/19/netwalker-re/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://redcanary.com/blog/yellow-cockatoo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -42385,6 +42360,73 @@ "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "value": "Suspicious XOR Encoded PowerShell Command" }, + { + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_java_keytool_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "value": "Suspicious Shells Spawn by Java Utility Keytool" + }, + { + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + ], + "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1021.006" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", + "value": "Remote PowerShell Session Host Process (WinRM)" + }, { "description": "Detects suspicious use of XORDump process memory dumping utility", "meta": { @@ -42426,6 +42468,41 @@ "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "value": "HackTool - XORDump Execution" }, + { + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Authorized administrative activity" + ], + "filename": "proc_creation_win_pua_adfind_enumeration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "related": [ + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "value": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" + }, { "description": "Detect use of PDQ Deploy remote admin tool", "meta": { @@ -42503,41 +42580,6 @@ "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "value": "CreateDump Process Dump" }, - { - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/03/11", - "falsepositive": [ - "Administrative activity", - "Software installation" - ], - "filename": "proc_creation_win_schtask_creation_temp_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtask_creation_temp_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", - "value": "Suspicious Scheduled Task Creation Involving Temp Folder" - }, { "description": "Detects WMI script event consumers", "meta": { @@ -42574,162 +42616,81 @@ "value": "WMI Persistence - Script Event Consumer" }, { - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", - "creation_date": "2022/08/25", + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/08", "falsepositive": [ - "Unlikely" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "filename": "proc_creation_win_c2_sliver.yml", - "level": "critical", + "filename": "proc_creation_win_lolbin_pester_1.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ] }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "42333b2c-b425-441c-b70e-99404a17170f", - "value": "Sliver C2 Implant Activity Pattern" + "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", + "value": "Execute Code with Pester.bat" }, { - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", + "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/05", + "author": "Christian Burkard (Nextron Systems)", + "creation_date": "2021/10/26", "falsepositive": [ - "Unknown" + "Google Drive", + "Citrix" ], - "filename": "proc_creation_win_susp_ntdll_type_redirect.yml", + "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.x86matthew.com/view_post?id=ntdll_pipe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "value": "Suspicious Ntdll Pipe Redirection" - }, - { - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "meta": { - "author": "Andreas Hunkeler (@Karneades), Markus Neis", - "creation_date": "2021/05/20", - "falsepositive": [ - "Legitimate WinRM usage" - ], - "filename": "proc_creation_win_susp_shell_spawn_from_winrm.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", - "value": "Suspicious Processes Spawned by WinRM" - }, - { - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "meta": { - "author": "David Burkett, @signalblur", - "creation_date": "2019/12/28", - "falsepositive": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" - ], - "filename": "proc_creation_win_susp_svchost_no_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml" + "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" + "attack.t1036" ] }, "related": [ { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", - "value": "Suspect Svchost Activity" - }, - { - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "meta": { - "author": "Alfie Champion (ajpc500)", - "creation_date": "2021/06/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_c3_load_by_rundll32.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "value": "F-Secure C3 Load by Rundll32" + "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", + "value": "Command Line Path Traversal Evasion" }, { "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", @@ -42744,8 +42705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml" ], "tags": [ @@ -42766,38 +42727,36 @@ "value": "Potential Emotet Rundll32 Execution" }, { - "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "meta": { - "author": "xknow @xknow_infosec, Tim Shelton", - "creation_date": "2020/06/11", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/03/18", "falsepositive": [ - "(not much) some benign Java tools may product false-positive commandlines for loading libraries" + "Unknown" ], - "filename": "proc_creation_win_commandline_path_traversal.yml", + "filename": "proc_creation_win_taskmgr_localsystem.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1036" ] }, "related": [ { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", - "value": "Cmd.exe CommandLine Path Traversal" + "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "value": "Taskmgr as LOCAL_SYSTEM" }, { "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", @@ -42835,16 +42794,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://twitter.com/_xpn_/status/1268712093928378368", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -42877,8 +42836,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -42911,9 +42870,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -42947,8 +42906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" ], @@ -42982,8 +42941,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -43012,6 +42971,39 @@ "uuid": "74403157-20f5-415d-89a7-c505779585cf", "value": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, + { + "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location", + "meta": { + "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "creation_date": "2020/06/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "value": "Lazarus System Binary Masquerading" + }, { "description": "Download and compress a remote file and store it in a cab file on local machine.", "meta": { @@ -43046,37 +43038,39 @@ "value": "Suspicious Diantz Download and Compress Into a CAB File" }, { - "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "meta": { - "author": "@41thexplorer", - "creation_date": "2018/11/20", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/05", "falsepositive": [ - "Unlikely" + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], - "filename": "proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml", - "level": "critical", + "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml" + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ - "attack.execution", - "attack.t1218.011" + "attack.defense_evasion", + "attack.t1564.004" ] }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "7453575c-a747-40b9-839b-125a0aae324b", - "value": "APT29 2018 Phishing Campaign CommandLine Indicators" + "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", + "value": "Use NTFS Short Name in Command Line" }, { "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", @@ -43092,8 +43086,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1534916659676422152", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -43191,8 +43185,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fatedier/frp", "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -43212,72 +43206,6 @@ "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", "value": "PUA - Fast Reverse Proxy (FRP) Execution" }, - { - "description": "Detects wmiexec vbs version execution by wscript or cscript", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/04/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_cloudhopper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml" - ], - "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" - ] - }, - "related": [ - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "966e4016-627f-44f7-8341-f394905c361f", - "value": "WMIExec VBS Script" - }, - { - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/03/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_taskmgr_localsystem.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", - "value": "Taskmgr as LOCAL_SYSTEM" - }, { "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", "meta": { @@ -43347,6 +43275,56 @@ "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", "value": "UAC Bypass Using IDiagnostic Profile" }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "meta": { + "author": "Alexander Rausch", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redmimicry.com/posts/redmimicry-winnti/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "value": "HackTool - RedMimicry Winnti Playbook Execution" + }, { "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", "meta": { @@ -43361,8 +43339,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ @@ -43395,8 +43373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -43539,6 +43517,147 @@ "uuid": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", "value": "Renamed AutoHotkey.EXE Execution" }, + { + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "meta": { + "author": "Agro (@agro_sev) oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + ], + "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bryon_/status/975835709587075072", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "value": "Detection of PowerShell Execution via Sqlps.exe" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/25", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_remote_access_software_ultraviewer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", + "value": "Use of UltraViewer Remote Access Software" + }, + { + "description": "Detects a suspicious program execution in Outlook temp folder", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_outlook_execution_from_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "value": "Execution in Outlook Temp Folder" + }, + { + "description": "Detects the stopping of a Windows service", + "meta": { + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/05", + "falsepositive": [ + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + ], + "filename": "proc_creation_win_net_stop_service.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "88872991-7445-4a22-90b2-a3adadb0e827", + "value": "Stop Windows Service Via Net.EXE" + }, { "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", "meta": { @@ -43586,10 +43705,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": "No established tags" @@ -43598,39 +43717,37 @@ "value": "PUA - AdvancedRun Execution" }, { - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", "meta": { "author": "frack113", - "creation_date": "2022/01/30", + "creation_date": "2022/01/12", "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" + "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], - "filename": "proc_creation_win_susp_takeown.yml", - "level": "medium", + "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", - "value": "Suspicious Recursive Takeown" + "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "value": "Uninstall Sysinternals Sysmon" }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", @@ -43719,37 +43836,61 @@ "value": "HackTool - Rubeus Execution" }, { - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/03/05", + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", "falsepositive": [ - "Unknown" + "Legitimate use of odbcconf.exe by legitimate user" ], - "filename": "proc_creation_win_susp_vbscript_unc2452.yml", - "level": "high", + "filename": "proc_creation_win_odbcconf_susp_exec.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_susp_exec.yml" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.defense_evasion", + "attack.t1218.008" ] }, "related": [ { - "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", - "value": "Suspicious VBScript UN2452 Pattern" + "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" + }, + { + "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", + "meta": { + "author": "Hieu Tran", + "creation_date": "2023/03/13", + "falsepositive": [ + "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" + ], + "filename": "proc_creation_win_powershell_decode_gzip.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml" + ], + "tags": "No established tags" + }, + "uuid": "98767d61-b2e8-4d71-b661-e36783ee24c1", + "value": "Gzip Archive Decode Via PowerShell" }, { "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", @@ -43784,6 +43925,51 @@ "uuid": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "value": "Group Membership Reconnaissance Via Whoami.EXE" }, + { + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate usage by software developers" + ], + "filename": "proc_creation_win_csi_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1072", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", + "value": "Suspicious Csi.exe Usage" + }, { "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "meta": { @@ -43894,69 +44080,12 @@ "value": "TAIDOOR RAT DLL Load" }, { - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_wermgr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" - ], - "tags": "No established tags" - }, - "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "value": "Suspicious WERMGR Process Patterns" - }, - { - "description": "Detects suspicious process related to rasdial.exe", - "meta": { - "author": "juju4", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_rasdial_activity.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/subTee/status/891298217907830785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", - "value": "Suspicious RASdial Activity" - }, - { - "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", + "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/01", "falsepositive": [ - "Administrators settings a service to disable via script or cli for testing purposes" + "False positives may occur with troubleshooting scripts" ], "filename": "proc_creation_win_sc_disable_service.yml", "level": "medium", @@ -43982,7 +44111,7 @@ } ], "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "value": "Sc Or Set-Service Cmdlet Execution to Disable Services" + "value": "Service StartupType Change Via Sc.EXE" }, { "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", @@ -44018,76 +44147,6 @@ "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "value": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" }, - { - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_missing_spaces.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", - "https://ss64.com/nt/cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", - "value": "Missing Space Characters in Command Lines" - }, - { - "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", - "meta": { - "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate use of odbcconf.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_odbcconf.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://redcanary.com/blog/raspberry-robin/", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.008" - ] - }, - "related": [ - { - "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", - "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" - }, { "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "meta": { @@ -44177,6 +44236,39 @@ "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "value": "UAC Bypass Tools Using ComputerDefaults" }, + { + "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/10", + "falsepositive": [ + "Legitimate activity is expected since extracting files with a password can be common in some environement." + ], + "filename": "proc_creation_win_7zip_password_extraction.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", + "value": "Password Protected Compressed File Extraction Via 7Zip" + }, { "description": "Detects command line parameters used by Koadic hack tool", "meta": { @@ -44191,8 +44283,8 @@ "logsource.product": "windows", "refs": [ "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -44228,6 +44320,39 @@ "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", "value": "HackTool - Koadic Execution" }, + { + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "value": "Always Install Elevated MSI Spawned Cmd And Powershell" + }, { "description": "Detects usage of Dsacls to grant over permissive permissions", "meta": { @@ -44241,8 +44366,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -44262,6 +44387,56 @@ "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", "value": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" }, + { + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "meta": { + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "filename": "proc_creation_win_susp_shadow_copies_creation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", + "value": "Shadow Copies Creation Using Operating Systems Utilities" + }, { "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", "meta": { @@ -44275,8 +44450,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -44327,83 +44502,64 @@ } ], "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", - "value": "Use of GoToAssist Remote Access Software" + "value": "Remote Access Tool - GoToAssist Execution" }, { - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "description": "Use of the commandline to shutdown or reboot windows", "meta": { - "author": "Austin Songer (@austinsonger)", - "creation_date": "2021/10/21", + "author": "frack113", + "creation_date": "2022/01/01", "falsepositive": [ - "Legitimate usage of stordiag.exe." + "Unknown" ], - "filename": "proc_creation_win_stordiag_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "value": "Execution via stordiag.exe" - }, - { - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" - ], - "filename": "proc_creation_win_susp_pester.yml", + "filename": "proc_creation_win_shutdown_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" + "attack.impact", + "attack.t1529" ] }, "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", - "value": "Execute Code with Pester.bat" + "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "value": "Suspicious Execution of Shutdown" + }, + { + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/11/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "value": "Suspicious RunAs-Like Flag Combination" }, { "description": "Detects suspicious ways to download files or content using PowerShell", @@ -44439,10 +44595,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -44450,40 +44606,6 @@ "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", "value": "PUA - AdvancedRun Suspicious Execution" }, - { - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" - ] - }, - "related": [ - { - "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75578840-9526-4b2a-9462-af469a45e767", - "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" - }, { "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", "meta": { @@ -44497,9 +44619,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", + "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -44533,8 +44655,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -44567,9 +44689,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_lockergoga_ransomware.yml" ], "tags": [ @@ -44603,10 +44725,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -44642,39 +44764,6 @@ "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "value": "Suspicious Use of PsLogList" }, - { - "description": "Detects suspicious parent process for cmd.exe", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_unusual_parent_for_cmd.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_parent_for_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "value": "Unusual Parent Process for cmd.exe" - }, { "description": "Detects the creation of a new service using the \"sc.exe\" utility.", "meta": { @@ -44825,8 +44914,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -44894,8 +44983,8 @@ "logsource.product": "windows", "refs": [ "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://twitter.com/ClearskySec/status/960924755355369472", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], "tags": [ @@ -44990,8 +45079,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -45011,41 +45100,6 @@ "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", "value": "Dism Remove Online Package" }, - { - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/18", - "falsepositive": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" - ], - "filename": "proc_creation_win_persistence_wpbbin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_wpbbin.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" - ] - }, - "related": [ - { - "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", - "value": "UEFI Persistence Via Wpbbin - ProcessCreation" - }, { "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", "meta": { @@ -45059,8 +45113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], @@ -45081,40 +45135,6 @@ "uuid": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "value": "Potential Windows Defender Tampering Via Wmic.EXE" }, - { - "description": "Detecting DNS tunnel activity for Muddywater actor", - "meta": { - "author": "@caliskanfurkan_", - "creation_date": "2020/06/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_muddywater_dnstunnel.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "related": [ - { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "36222790-0d43-4fe8-86e4-674b27809543", - "value": "DNS Tunnel Technique from MuddyWater" - }, { "description": "Detects usage of attrib.exe to hide files from users.", "meta": { @@ -45125,10 +45145,12 @@ "Msiexec.exe hiding desktop.ini" ], "filename": "proc_creation_win_attrib_hiding_files.yml", - "level": "low", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -45262,9 +45284,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/right-to-left-override/", - "https://unicode-explorer.com/c/202E", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", + "https://unicode-explorer.com/c/202E", + "https://redcanary.com/blog/right-to-left-override/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -45285,96 +45307,69 @@ "value": "Potential Defense Evasion Via Right-to-Left Override" }, { - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "description": "Detect suspicious parent processes of well-known Windows processes", "meta": { - "author": "frack113", - "creation_date": "2022/11/18", + "author": "vburov", + "creation_date": "2019/02/23", "falsepositive": [ - "Unknown" + "Some security products seem to spawn these" ], - "filename": "proc_creation_win_susp_powercfg.yml", - "level": "medium", + "filename": "proc_creation_win_susp_proc_wrong_parent.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", - "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" - }, - { - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/06/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_sysprep_appdata.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036.005" ] }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", - "value": "Sysprep on AppData Folder" + "uuid": "96036718-71cc-4027-a538-d1587e0006a7", + "value": "Windows Processes Suspicious Parent Directory" }, { - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/07/03", + "creation_date": "2022/01/16", "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "filename": "proc_creation_win_susp_desktopimgdownldr.yml", + "filename": "proc_creation_win_susp_redirect_local_admin_share.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] + "tags": "No established tags" }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "value": "Suspicious Desktopimgdownldr Command" + "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", + "value": "Suspicious Redirection to Local Admin Share" }, { "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", @@ -45422,14 +45417,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -45472,8 +45467,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -45507,8 +45502,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ @@ -45529,28 +45524,104 @@ "value": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, { - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/11", + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate usage of the tool" + ], + "filename": "proc_creation_win_remote_access_tools_screenconnect.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", + "value": "Remote Access Tool - ScreenConnect Execution" + }, + { + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "meta": { + "author": "bohops", + "creation_date": "2022/10/30", + "falsepositive": [ + "False positives depend on custom use of vsls-agent.exe" + ], + "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/1583916360404729857", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "43103702-5886-11ed-9b6a-0242ac120002", + "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" + }, + { + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/23", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_turn_on_dev_features.yml", + "filename": "proc_creation_win_cmd_no_space_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" + "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ - "attack.defense_evasion" + "attack.execution", + "attack.t1059.001" ] }, - "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", - "value": "Potential Signing Bypass Via Windows Developer Features" + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", + "value": "Cmd.EXE Missing Space Characters Execution Anomaly" }, { "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", @@ -45594,48 +45665,6 @@ "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", "value": "Suspicious MSDT Parent Process" }, - { - "description": "Detects a set of suspicious network related commands often used in recon stages", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/07", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_recon_network_activity.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ] - }, - "related": [ - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "value": "Network Reconnaissance Activity" - }, { "description": "Detects the PowerShell command lines with special characters", "meta": { @@ -45693,9 +45722,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -45716,39 +45745,38 @@ "value": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" }, { - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { - "author": "Sreeman", - "creation_date": "2020/10/29", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/07/03", "falsepositive": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_persistence_bitsadmin.yml", - "level": "medium", + "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_bitsadmin.yml" + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1197" + "attack.command_and_control", + "attack.t1105" ] }, "related": [ { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", - "value": "Monitoring For Persistence Via BITS" + "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "value": "Suspicious Desktopimgdownldr Command" }, { "description": "Detects activity mentioned in Operation Wocao report", @@ -45763,8 +45791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -45852,6 +45880,43 @@ "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "value": "Pingback Backdoor Activity" }, + { + "description": "Detects potential commandline obfuscation using known escape characters", + "meta": { + "author": "juju4", + "creation_date": "2018/12/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/vysecurity/status/885545634958385153", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", + "value": "Potential Commandline Obfuscation Using Escape Characters" + }, { "description": "Detects creation or execution of UserInitMprLogonScript persistence method", "meta": { @@ -45936,166 +46001,37 @@ "value": "PowerShell DownloadFile" }, { - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Maxim Pavlunin", - "creation_date": "2020/04/01", + "author": "Tim Rauch", + "creation_date": "2022/09/27", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_html_help_spawn.yml", + "filename": "proc_creation_win_dns_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" + "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", "attack.initial_access", - "attack.t1218" + "attack.t1133" ] }, "related": [ { - "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", - "value": "HTML Help Shell Spawn" - }, - { - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "meta": { - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" - ], - "filename": "proc_creation_win_copying_sensitive_files_with_credential_data.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" - ] - }, - "related": [ - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "value": "Copying Sensitive Files with Credential Data" + "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "value": "Unusual Child Process of dns.exe" }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", @@ -46153,8 +46089,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -46187,8 +46123,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -46282,6 +46218,41 @@ "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", "value": "Potential DLL Injection Or Execution Using Tracker.exe" }, + { + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "meta": { + "author": "frack113, Tim Shelton (update fp)", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_elevated_system_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "178e615d-e666-498b-9630-9ed363038101", + "value": "Suspicious Elevated System Shell" + }, { "description": "Detects suspicious child processes spawned by PowerShell", "meta": { @@ -46350,8 +46321,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], @@ -46375,13 +46346,13 @@ "value": "New Port Forwarding Rule Added Via Netsh.EXX" }, { - "description": "Detects commandline flags that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", + "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", "meta": { "author": "Markus Neis", "creation_date": "2017/08/28", "falsepositive": [ "Legitimate use of SysInternals tools", - "Programs that use the same commandline" + "Programs that use the same command line flag" ], "filename": "proc_creation_win_sysinternals_eula_accepted.yml", "level": "low", @@ -46450,6 +46421,48 @@ "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "value": "Suspicious Schtasks Execution AppData Folder" }, + { + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_runscripthelper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "value": "Suspicious Runscripthelper.exe" + }, { "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", "meta": { @@ -46497,8 +46510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -46518,6 +46531,41 @@ "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "value": "Suspicious Parent Double Extension File Execution" }, + { + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6345b048-8441-43a7-9bed-541133633d7a", + "value": "ZOHO Dctask64 Process Injection" + }, { "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", "meta": { @@ -46556,8 +46604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -46614,38 +46662,82 @@ "value": "Suspicious Binary In User Directory Spawned From Office Application" }, { - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/16", + "author": "Janantha Marasinghe", + "creation_date": "2020/09/26", "falsepositive": [ - "Legitimate administration activities" + "This may have false positives on hosts where Virtualbox is legitimately being used for operations" ], - "filename": "proc_creation_win_software_discovery.yml", - "level": "medium", + "filename": "proc_creation_win_virtualbox_execution.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml" ], "tags": [ - "attack.discovery", - "attack.t1518" + "attack.defense_evasion", + "attack.t1564.006", + "attack.t1564" ] }, "related": [ { - "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", - "value": "Detected Windows Software Discovery" + "uuid": "bab049ca-7471-4828-9024-38279a4c04da", + "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" + }, + { + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://github.com/defaultnamehere/cookie_crimes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1185" + ] + }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", + "value": "Potential Data Stealing Via Chromium Headless Debugging" }, { "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", @@ -46653,7 +46745,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/25", "falsepositive": [ - "Legitimate command-lines containing the string mentioned in the command-line" + "Unknown" ], "filename": "proc_creation_win_susp_office_token_search.yml", "level": "medium", @@ -46691,8 +46783,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -46721,74 +46813,6 @@ "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", "value": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" }, - { - "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_webdav_client_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "related": [ - { - "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", - "value": "Suspicious WebDav Client Execution" - }, - { - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "meta": { - "author": "Ján Trenčanský", - "creation_date": "2021/08/06", - "falsepositive": [ - "Legitimate deployment of AnyDesk" - ], - "filename": "proc_creation_win_anydesk_silent_install.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", - "https://support.anydesk.com/Automatic_Deployment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", - "value": "AnyDesk Silent Installation" - }, { "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", "meta": { @@ -46823,6 +46847,40 @@ "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", "value": "DirLister Execution" }, + { + "description": "The Devtoolslauncher.exe executes other binary", + "meta": { + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "creation_date": "2019/10/12", + "falsepositive": [ + "Legitimate use of devtoolslauncher.exe by legitimate user" + ], + "filename": "proc_creation_win_lolbin_devtoolslauncher.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "value": "Devtoolslauncher.exe Executes Specified Binary" + }, { "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", "meta": { @@ -46836,9 +46894,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -46859,81 +46917,38 @@ "value": "File Encoded To Base64 Via Certutil.EXE" }, { - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "meta": { - "author": "Sreeman", - "creation_date": "2020/01/13", + "author": "Teymur Kheirkhabarov", + "creation_date": "2019/10/26", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_task_folder_evasion.yml", + "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", - "https://twitter.com/subTee/status/1216465628946563073", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" ], "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.002" + "attack.privilege_escalation", + "attack.t1574.011" ] }, "related": [ { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "value": "Tasks Folder Evasion" - }, - { - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/09/12", - "falsepositive": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." - ], - "filename": "proc_creation_win_remote_powershell_session_process.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "value": "Remote PowerShell Session Host Process (WinRM)" + "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", + "value": "Potential Privilege Escalation via Service Permissions Weakness" }, { "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", @@ -46948,8 +46963,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -46972,8 +46987,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" ], "tags": [ @@ -47029,39 +47044,6 @@ "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", "value": "Possible Privilege Escalation via Weak Service Permissions" }, - { - "description": "Detects commands that temporarily turn off Volume Snapshots", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/01/28", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_susp_volsnap_disable.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1354766164166115331", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", - "value": "Disabled Volume Snapshots" - }, { "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", "meta": { @@ -47128,6 +47110,40 @@ "uuid": "b0524451-19af-4efa-a46f-562a977f792e", "value": "ShimCache Flush" }, + { + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/02/21", + "falsepositive": [ + "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." + ], + "filename": "proc_creation_win_chcp_codepage_lookup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1614.001" + ] + }, + "related": [ + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", + "value": "Console CodePage Lookup Via CHCP" + }, { "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", "meta": { @@ -47162,39 +47178,6 @@ "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", "value": "HackTool - SharPersist Execution" }, - { - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "meta": { - "author": "Cedric MAURUGEON", - "creation_date": "2021/09/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_process_dump_rdrleakdiag.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "value": "Process Dump via RdrLeakDiag.exe" - }, { "description": "Detects specific process parameters as used by Mustang Panda droppers", "meta": { @@ -47208,9 +47191,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -47231,46 +47214,27 @@ "value": "Mustang Panda Dropper" }, { - "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/06", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/09", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_proc_dump_dumpminitool.yml", - "level": "medium", + "filename": "proc_creation_win_malware_griffon_patterns.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_griffon_patterns.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.execution" ] }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", - "value": "DumpMinitool Usage" + "uuid": "bcc6f179-11cd-4111-a9a6-0fab68515cf7", + "value": "Griffon Malware Attack Pattern" }, { "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", @@ -47285,8 +47249,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -47306,39 +47270,6 @@ "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "value": "Suspicious File Characteristics Due to Missing Fields" }, - { - "description": "Detects when a program changes the default file association of any extension to an executable", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_change_default_file_assoc_susp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.001" - ] - }, - "related": [ - { - "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "value": "Change Default File Association To Executable" - }, { "description": "Detects the use of 3proxy, a tiny free proxy server", "meta": { @@ -47352,8 +47283,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -47386,10 +47317,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://twitter.com/ReaQta/status/1222548288731217921", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -47423,9 +47354,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -47445,48 +47376,6 @@ "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", "value": "Python Inline Command Execution" }, - { - "description": "Detects a ping command that uses a hex encoded IP address", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" - ], - "filename": "proc_creation_win_susp_ping_hex_ip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", - "https://twitter.com/vysecurity/status/977198418354491392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "value": "Ping Hex IP" - }, { "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "meta": { @@ -47697,39 +47586,6 @@ "uuid": "903076ff-f442-475a-b667-4f246bcc203b", "value": "Nltest.EXE Execution" }, - { - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_parent_of_conhost.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "value": "Conhost Spawned By Suspicious Parent Process" - }, { "description": "Detects a ZxShell start by the called and well-known function name", "meta": { @@ -47774,6 +47630,57 @@ "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "value": "ZxShell Malware" }, + { + "description": "Shadow Copies deletion using operating systems utilities", + "meta": { + "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + ], + "filename": "proc_creation_win_susp_shadow_copies_deletion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/Neo23x0/Raccine#the-process", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1070", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "value": "Shadow Copies Deletion Using Operating Systems Utilities" + }, { "description": "Attackers may leverage fsutil to enumerated connected drives.", "meta": { @@ -47787,8 +47694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "Turla has used fsutil fsinfo drives to list connected drives.", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -47855,11 +47762,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://man.openbsd.org/ssh_config#ProxyCommand", - "https://man.openbsd.org/ssh_config#LocalCommand", - "https://gtfobins.github.io/gtfobins/ssh/", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#LocalCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -47879,116 +47786,6 @@ "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Lolbin Ssh.exe Use As Proxy" }, - { - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "meta": { - "author": "Agro (@agro_sev) oscd.communitly", - "creation_date": "2020/10/13", - "falsepositive": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." - ], - "filename": "proc_creation_win_susp_use_of_sqltoolsps_bin.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", - "value": "SQL Client Tools PowerShell Session Detection" - }, - { - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "meta": { - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_register_cimprovider.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", - "https://twitter.com/PhilipTsukerman/status/992021361106268161", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574" - ] - }, - "related": [ - { - "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", - "value": "DLL Execution Via Register-cimprovider.exe" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/05/20", - "falsepositive": [ - "Legitimate use of AnyDesk from a non-standard folder" - ], - "filename": "proc_creation_win_anydesk_execution_from_susp_folders.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_execution_from_susp_folders.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "value": "Anydesk Execution From Suspicious Folder" - }, { "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", "meta": { @@ -48004,9 +47801,9 @@ "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://twitter.com/cyb3rops/status/1514217991034097664", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/", + "https://twitter.com/cyb3rops/status/1514217991034097664", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml" ], "tags": [ @@ -48070,57 +47867,6 @@ "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", "value": "NodejsTools PressAnyKey Lolbin" }, - { - "description": "Shadow Copies deletion using operating systems utilities", - "meta": { - "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" - ], - "filename": "proc_creation_win_shadow_copies_deletion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/Neo23x0/Raccine#the-process", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "value": "Shadow Copies Deletion Using Operating Systems Utilities" - }, { "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", "meta": { @@ -48302,9 +48048,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -48334,6 +48080,109 @@ "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "File Download Via Bitsadmin" }, + { + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "meta": { + "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_oilrig_mar18.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_oilrig_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "value": "OilRig APT Activity" + }, + { + "description": "Detects code execution via the Windows Update client (wuauclt)", + "meta": { + "author": "FPT.EagleEye Team", + "creation_date": "2020/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wuauclt_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "value": "Windows Update Client LOLBIN" + }, { "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", "meta": { @@ -48433,83 +48282,6 @@ "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "value": "Use of VSIISExeLauncher.exe" }, - { - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "meta": { - "author": "Agro (@agro_sev) oscd.community", - "creation_date": "2020/10/10", - "falsepositive": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." - ], - "filename": "proc_creation_win_susp_use_of_sqlps_bin.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", - "value": "Detection of PowerShell Execution via Sqlps.exe" - }, - { - "description": "Detection of unusual child processes by different system processes", - "meta": { - "author": "Semanur Guneysu @semanurtg, oscd.community", - "creation_date": "2020/10/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_abusing_debug_privilege.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "related": [ - { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", - "value": "Abused Debug Privilege by Arbitrary Parent Processes" - }, { "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "meta": { @@ -48543,6 +48315,79 @@ "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", "value": "Regedit as Trusted Installer" }, + { + "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/04/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt10_cloud_hopper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0045", + "attack.t1059.005" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "966e4016-627f-44f7-8341-f394905c361f", + "value": "Potential APT10 Cloud Hopper Activity" + }, + { + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "meta": { + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", + "creation_date": "2020/10/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://www.cobaltstrike.com/help-opsec", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" + }, { "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", "meta": { @@ -48556,11 +48401,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/egre55/status/1087685529016193025", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -48614,46 +48459,29 @@ "value": "Potential RDP Tunneling Via SSH" }, { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "description": "Detects potential Muddywater APT activity", "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/10", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_invoke_obfuscation_via_use_clip.yml", + "filename": "proc_creation_win_apt_muddywater_activity.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" + "https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_activity.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.g0069" ] }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "value": "Invoke-Obfuscation Via Use Clip" + "uuid": "36222790-0d43-4fe8-86e4-674b27809543", + "value": "Potential MuddyWater APT Activity" }, { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", @@ -48801,8 +48629,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -48822,51 +48650,6 @@ "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", "value": "Trickbot Malware Activity" }, - { - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "meta": { - "author": "Konstantin Grishchenko, oscd.community", - "creation_date": "2020/10/17", - "falsepositive": [ - "Legitimate usage by software developers" - ], - "filename": "proc_creation_win_susp_csi.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" - ], - "tags": [ - "attack.execution", - "attack.t1072", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", - "value": "Suspicious Csi.exe Usage" - }, { "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "meta": { @@ -48880,8 +48663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/decoder-it/LocalPotato", + "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -48936,6 +48719,65 @@ "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "value": "HackTool - Impersonate Execution" }, + { + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "creation_date": "2021/12/17", + "falsepositive": [ + "Legitimate calls to system binaries", + "Company specific internal usage" + ], + "filename": "proc_creation_win_java_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "value": "Suspicious Shells Spawned by Java" + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/23", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "filename": "proc_creation_win_registry_new_network_provider.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "value": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" + }, { "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", "meta": { @@ -48949,8 +48791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -48982,8 +48824,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -49004,119 +48846,72 @@ "value": "Use of Pcalua For Execution" }, { - "description": "Use of hostname to get information", + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", "meta": { - "author": "frack113", - "creation_date": "2022/01/01", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "creation_date": "2020/10/05", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_hostname.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", - "value": "Suspicious Execution of Hostname" - }, - { - "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", - "meta": { - "author": "frack113", - "creation_date": "2022/01/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uninstall_sysinternals_sysmon.yml", + "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysinternals_sysmon.yml" + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1112" ] }, "related": [ { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "value": "Uninstall Sysinternals Sysmon" + "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "value": "Non-privileged Usage of Reg or Powershell" }, { - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", "meta": { - "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", - "creation_date": "2019/07/31", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", + "creation_date": "2019/10/24", "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], - "filename": "proc_creation_win_cmstp_com_object_access.yml", - "level": "high", + "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" + "attack.t1059.001" ] }, "related": [ { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "value": "CMSTP UAC Bypass via COM Object Access" + "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "value": "Usage Of Web Request Commands And Cmdlets" }, { "description": "Detects using SettingSyncHost.exe to run hijacked binary", @@ -49165,8 +48960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -49188,9 +48983,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -49211,19 +49006,43 @@ "value": "Powershell Defender Exclusion" }, { - "description": "Detects EmpireMonkey APT reported Activity", + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", "meta": { - "author": "Markus Neis", - "creation_date": "2019/04/02", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/10", "falsepositive": [ - "Very Unlikely" + "Other parent binaries using GUP not currently identified" ], - "filename": "proc_creation_win_apt_empiremonkey.yml", - "level": "critical", + "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", + "https://twitter.com/nas_bench/status/1535322445439180803", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", + "value": "Arbitrary Binary Execution Using GUP Utility" + }, + { + "description": "Detects potential EmpireMonkey APT activity", + "meta": { + "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/04/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_empiremonkey.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" ], "tags": [ @@ -49241,7 +49060,7 @@ } ], "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", - "value": "Empire Monkey" + "value": "Potential EmpireMonkey Activity" }, { "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", @@ -49319,6 +49138,40 @@ "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", "value": "Ps.exe Renamed SysInternals Tool" }, + { + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/10/14", + "falsepositive": [ + "Administrative activity (adjust code pages according to your organization's region)" + ], + "filename": "proc_creation_win_chcp_codepage_switch.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" + ], + "tags": [ + "attack.t1036", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", + "value": "Suspicious CodePage Switch Via CHCP" + }, { "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "meta": { @@ -49365,9 +49218,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -49387,48 +49240,6 @@ "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "value": "DllUnregisterServer Function Call Via Msiexec.EXE" }, - { - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_runscripthelper.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", - "value": "Suspicious Runscripthelper.exe" - }, { "description": "Detects the use of a Microsoft signed script to execute commands", "meta": { @@ -49462,40 +49273,6 @@ "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "value": "CL_Mutexverifiers.ps1 Proxy Execution" }, - { - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "meta": { - "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", - "creation_date": "2021/08/23", - "falsepositive": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" - ], - "filename": "proc_creation_win_susp_razorinstaller_explorer.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", - "https://streamable.com/q2dsji", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1553" - ] - }, - "related": [ - { - "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "value": "Suspicious RazerInstaller Explorer Subprocess" - }, { "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", "meta": { @@ -49509,8 +49286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://ss64.com/vb/cscript.html", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml" ], "tags": [ @@ -49585,39 +49362,29 @@ "value": "Recon Information for Export with Command Prompt" }, { - "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", + "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/12/04", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_apt_apt29_thinktanks.yml", - "level": "high", + "filename": "proc_creation_win_ldifde_export.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" + "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ - "attack.execution", - "attack.g0016", - "attack.t1059.001" + "attack.exfiltration" ] }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", - "value": "APT29" + "uuid": "4f7a6757-ff79-46db-9687-66501a02d9ec", + "value": "Active Directory Structure Export Via Ldifde.EXE" }, { "description": "Detects potential Dridex acitvity via specific process patterns", @@ -49671,39 +49438,6 @@ "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", "value": "Potential Dridex Activity" }, - { - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "meta": { - "author": "Sreeman, Florian Roth", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_browser_chromium_headless_file_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_chromium_headless_file_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", - "value": "File Download with Headless Browser" - }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "meta": { @@ -49738,48 +49472,38 @@ "value": "Service Registry Key Deleted Via Reg.EXE" }, { - "description": "Detects CrackMapExecWin Activity as Described by NCSC", + "description": "Detects shell32.dll executing a DLL in a suspicious directory", "meta": { - "author": "Markus Neis", - "creation_date": "2018/04/08", + "author": "Christian Burkard (Nextron Systems)", + "creation_date": "2021/11/24", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_apt_dragonfly.yml", - "level": "critical", + "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0488/", - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" + "https://www.group-ib.com/resources/threat-research/red-curl-2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml" ], "tags": [ - "attack.g0035", - "attack.credential_access", - "attack.discovery", - "attack.t1110", - "attack.t1087" + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" ] }, "related": [ { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", - "value": "CrackMapExecWin" + "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", + "value": "Shell32 DLL Execution in Suspicious Directory" }, { "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", @@ -49794,8 +49518,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], @@ -49855,10 +49579,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -49887,41 +49611,40 @@ "value": "Use of Setres.exe" }, { - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", "meta": { - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", - "creation_date": "2021/05/10", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/10/13", "falsepositive": [ - "Legitimate RClone use" + "System administrator Usage" ], - "filename": "proc_creation_win_susp_rclone_execution.yml", - "level": "high", + "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "attack.discovery", + "attack.t1069.001" ] }, "related": [ { - "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", - "value": "Rclone Execution via Command Line or PowerShell" + "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "value": "Permission Check Via Accesschk.EXE" }, { "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", @@ -50175,6 +49898,40 @@ "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", "value": "Base64 Encoded PowerShell Command Detected" }, + { + "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2023/03/05", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "filename": "proc_creation_win_certmgr_certificate_installation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ff992eac-6449-4c60-8c1d-91c9722a1d48", + "value": "New Root Certificate Installed Via CertMgr.EXE" + }, { "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", "meta": { @@ -50266,30 +50023,6 @@ "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "value": "Suspicious Download from Office Domain" }, - { - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_persistence_typed_paths.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://forensafe.com/blogs/typedpaths.html", - "https://twitter.com/dez_/status/1560101453150257154", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", - "value": "Persistence Via TypedPaths - CommandLine" - }, { "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", "meta": { @@ -50304,8 +50037,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], @@ -50372,8 +50105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -50441,8 +50174,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -50464,38 +50197,41 @@ "value": "Lolbin Defaultpack.exe Use As Proxy" }, { - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/23", + "author": "Bhabesh Raj", + "creation_date": "2022/03/04", "falsepositive": [ - "Other legitimate network providers used and not filtred in this rule" + "Unknown" ], - "filename": "proc_creation_win_reg_new_network_provider.yml", + "filename": "proc_creation_win_ultravnc_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_new_network_provider.yml" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", - "value": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" + "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", + "value": "Suspicious UltraVNC Execution" }, { "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", @@ -50510,8 +50246,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -50598,47 +50334,73 @@ "value": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", "meta": { - "author": "Tim Burrell", - "creation_date": "2020/02/07", + "author": "frack113", + "creation_date": "2022/12/09", "falsepositive": [ - "Unknown" + "Very Likely, including launching cmd.exe via Run As Administrator" ], - "filename": "proc_creation_win_apt_gallium.yml", - "level": "high", + "filename": "proc_creation_win_conhost_legacy_option.yml", + "level": "informational", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ - "attack.credential_access", - "attack.t1212", - "attack.command_and_control", - "attack.t1071" + "attack.defense_evasion", + "attack.t1202" ] }, "related": [ { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "18739897-21b1-41da-8ee4-5b786915a676", - "value": "GALLIUM Artefacts" + "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", + "value": "Suspicious High IntegrityLevel Conhost Legacy Option" + }, + { + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "meta": { + "author": "David Burkett, @signalblur", + "creation_date": "2019/12/28", + "falsepositive": [ + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + ], + "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", + "value": "Suspect Svchost Activity" }, { "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", @@ -50687,8 +50449,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], @@ -50727,7 +50489,7 @@ "value": "Suspicious WmiPrvse Child Process Spawned" }, { - "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/26", @@ -50758,7 +50520,7 @@ } ], "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "value": "MERCURY Command Line Patterns" + "value": "MERCURY APT Activity" }, { "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", @@ -50773,10 +50535,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -50852,6 +50614,41 @@ "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", "value": "Rundll32 JS RunHTMLApplication Pattern" }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "value": "Use NTFS Short Name in Image" + }, { "description": "Detects the execution GMER tool based on image and hash fields.", "meta": { @@ -50888,8 +50685,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -50910,37 +50707,115 @@ "value": "Regsvr32 Spawning Explorer" }, { - "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", "meta": { - "author": "frack113", - "creation_date": "2021/12/26", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", "falsepositive": [ - "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" + "Unlikely" ], - "filename": "proc_creation_win_susp_taskkill.yml", - "level": "low", + "filename": "proc_creation_win_susp_lsass_dump.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" + "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml" ], "tags": [ - "attack.impact", - "attack.t1489" + "attack.credential_access", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", - "value": "Suspicious Execution of Taskkill" + "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", + "value": "LSASS Memory Dumping" + }, + { + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", + "value": "Terminal Service Process Spawn" + }, + { + "description": "Detection of unusual child processes by different system processes", + "meta": { + "author": "Semanur Guneysu @semanurtg, oscd.community", + "creation_date": "2020/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_abusing_debug_privilege.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", + "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, { "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", @@ -50977,6 +50852,39 @@ "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", "value": "Direct Autorun Keys Modification" }, + { + "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/04", + "falsepositive": [ + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + ], + "filename": "proc_creation_win_winrar_dmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_dmp.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "value": "Winrar Compressing Dump Files" + }, { "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "meta": { @@ -51023,8 +50931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -51066,10 +50974,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], @@ -51107,6 +51015,39 @@ "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "value": "Dumping of Sensitive Hives Via Reg.EXE" }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_remote_access_tools_anydesk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "value": "Remote Access Tool - AnyDesk Execution" + }, { "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", "meta": { @@ -51122,8 +51063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://tools.thehacker.recipes/mimikatz/modules", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": "No established tags" @@ -51245,8 +51186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml" ], "tags": [ @@ -51312,11 +51253,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -51358,9 +51299,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -51380,39 +51321,6 @@ "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", "value": "Registry Modification Via Regini.EXE" }, - { - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_persistence_windows_telemetry.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_windows_telemetry.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", - "value": "Potential Persistence Via Microsoft Compatibility Appraiser" - }, { "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", "meta": { @@ -51444,7 +51352,7 @@ } ], "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", - "value": "Suspicious CMD Shell Redirect" + "value": "Suspicious CMD Shell Output Redirect" }, { "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", @@ -51460,9 +51368,9 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -51526,38 +51434,63 @@ "value": "Suspicious Network Command" }, { - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/09/03", + "author": "Micah Babinski", + "creation_date": "2022/12/11", "falsepositive": [ - "Unknown" + "Legitimate use of the tool by administrators or users to update metadata of a binary" ], - "filename": "proc_creation_win_apt_emissarypanda_sep19.yml", - "level": "critical", + "filename": "proc_creation_win_pua_rcedit_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", - "https://twitter.com/cyb3rops/status/1168863899531132929", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://github.com/electron/rcedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1574.002" + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" ] }, "related": [ { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", - "value": "Emissary Panda Malware SLLauncher" + "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", + "value": "PUA - Potential PE Metadata Tamper Using Rcedit" }, { "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", @@ -51573,9 +51506,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -51711,8 +51644,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -51763,9 +51696,9 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -51938,74 +51871,6 @@ "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", "value": "Defrag Deactivation" }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/07", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." - ], - "filename": "proc_creation_win_ntfs_short_name_path_use_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "related": [ - { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", - "value": "Use Short Name Path in Command Line" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/25", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_ultraviewer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultraviewer.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", - "value": "Use of UltraViewer Remote Access Software" - }, { "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", "meta": { @@ -52019,8 +51884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -52042,39 +51907,6 @@ "uuid": "56321594-9087-49d9-bf10-524fe8479452", "value": "Potential Persistence Via Netsh Helper DLL" }, - { - "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_cmd_read_contents.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", - "value": "Read and Execute a File Via Cmd.exe" - }, { "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "meta": { @@ -52088,9 +51920,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -52154,43 +51986,6 @@ "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "value": "Potential SPN Enumeration Via Setspn.EXE" }, - { - "description": "Detects suspicious process that use escape characters", - "meta": { - "author": "juju4", - "creation_date": "2018/12/11", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_cli_escape.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ] - }, - "related": [ - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", - "value": "Suspicious Commandline Escape" - }, { "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", "meta": { @@ -52249,38 +52044,38 @@ "value": "Execution Of Non-Existing File" }, { - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "description": "Detects suspicious processes including shells spawnd from WinRM host process", "meta": { - "author": "Teymur Kheirkhabarov", - "creation_date": "2019/10/26", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "creation_date": "2021/05/20", "falsepositive": [ - "Unknown" + "Legitimate WinRM usage" ], - "filename": "proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", + "filename": "proc_creation_win_winrm_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ] }, "related": [ { - "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "value": "Potential Privilege Escalation via Service Permissions Weakness" + "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "value": "Suspicious Processes Spawned by WinRM" }, { "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", @@ -52328,8 +52123,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -52363,10 +52158,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://twitter.com/nas_bench/status/1537896324837781506", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -52399,8 +52194,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw", "https://twitter.com/hackerfantastic/status/1616455335203438592?s=20", + "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_win_server_undocumented_rce.yml" ], "tags": "No established tags" @@ -52524,50 +52319,6 @@ "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", "value": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, - { - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", - "meta": { - "author": "frack113", - "creation_date": "2022/03/12", - "falsepositive": [ - "Legitimate script" - ], - "filename": "proc_creation_win_network_scan_loop.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://ss64.com/ps/foreach-object.htmll", - "https://ss64.com/nt/for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", - "value": "Suspicious Scan Loop Network" - }, { "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", "meta": { @@ -52589,40 +52340,6 @@ "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", "value": "Suspicious Program Names" }, - { - "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/01", - "falsepositive": [ - "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" - ], - "filename": "proc_creation_win_susp_service_stop.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ] - }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "value": "Suspicious Stop Windows Service" - }, { "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { @@ -52636,8 +52353,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -52657,6 +52374,123 @@ "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "value": "HackTool - Dumpert Process Dumper Execution" }, + { + "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", + "meta": { + "author": "Maxim Pavlunin", + "creation_date": "2020/04/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hh_html_help_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1047", + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "value": "HTML Help Shell Spawn" + }, { "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "meta": { @@ -52691,6 +52525,49 @@ "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "value": "Security Privileges Enumeration Via Whoami.EXE" }, + { + "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_apt31_judgement_panda.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt31_judgement_panda.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.credential_access", + "attack.g0128", + "attack.t1003.001", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "value": "APT31 Judgement Panda Activity" + }, { "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", "meta": { @@ -52737,9 +52614,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -52781,9 +52658,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -52816,8 +52693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], @@ -52875,8 +52752,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" @@ -52886,6 +52763,65 @@ "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", "value": "HackTool - CrackMapExec Execution" }, + { + "description": "Detects use of executionpolicy option to set insecure policies", + "meta": { + "author": "frack113", + "creation_date": "2021/11/01", + "falsepositive": [ + "Administrator script" + ], + "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "value": "Change PowerShell Policies to an Insecure Level" + }, + { + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1479094189048713219", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "value": "DumpStack.log Defender Evasion" + }, { "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "meta": { @@ -52899,8 +52835,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -52926,7 +52862,7 @@ "author": "Bartlomiej Czyz, Relativity", "creation_date": "2021/01/31", "falsepositive": [ - "Unknown" + "False positives may occur if a user called rundll32 from CLI with no options" ], "filename": "proc_creation_win_rundll32_without_parameters.yml", "level": "high", @@ -52984,8 +52920,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" ], "tags": [ @@ -53027,15 +52963,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ "attack.execution", + "attack.command_and_control", "attack.t1059.003", "attack.t1059.001", - "attack.command_and_control", "attack.t1105" ] }, @@ -53065,27 +53001,6 @@ "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", "value": "Command Line Execution with Suspicious URL and AppData Strings" }, - { - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "meta": { - "author": "Florian Roth (Nextron Systems), Microsoft (idea)", - "creation_date": "2022/08/04", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_iis_module_registration.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml" - ], - "tags": "No established tags" - }, - "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "value": "Suspicious IIS Module Registration" - }, { "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", "meta": { @@ -53099,8 +53014,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -53120,6 +53035,40 @@ "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", "value": "PUA - DIT Snapshot Viewer" }, + { + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "meta": { + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "creation_date": "2020/03/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" + ], + "tags": [ + "attack.execution", + "attack.t1021.003" + ] + }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "value": "MMC20 Lateral Movement" + }, { "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", "meta": { @@ -53144,13 +53093,48 @@ "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", "value": "Renamed PsExec Service Execution" }, + { + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "value": "Operator Bloopers Cobalt Strike Commands" + }, { "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "meta": { "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "creation_date": "2021/02/02", "falsepositive": [ - "Admin activity" + "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "filename": "proc_creation_win_auditpol_susp_execution.yml", "level": "high", @@ -53178,70 +53162,38 @@ "value": "Audit Policy Tampering Via Auditpol" }, { - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", "meta": { - "author": "frack113", - "creation_date": "2021/07/27", + "author": "frack113, Florian Roth (Nextron Systems)", + "creation_date": "2022/01/15", "falsepositive": [ - "Command line parameter combinations that contain all included strings" + "Unknown" ], - "filename": "proc_creation_win_susp_7z.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7z.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", - "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" - }, - { - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/10", - "falsepositive": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" - ], - "filename": "proc_creation_win_susp_gup_download.yml", + "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322182863179776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1027" ] }, "related": [ { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", - "value": "Download Files Using Notepad++ GUP Utility" + "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", + "value": "Potential Commandline Obfuscation Using Unicode Characters" }, { "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", @@ -53289,8 +53241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.radmin.fr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -53345,38 +53297,40 @@ "value": "Windows Firewall Disabled via PowerShell" }, { - "description": "The Devtoolslauncher.exe executes other binary", + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", "meta": { - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", - "creation_date": "2019/10/12", + "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/27", "falsepositive": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" + "Unknown" ], - "filename": "proc_creation_win_susp_devtoolslauncher.yml", - "level": "high", + "filename": "proc_creation_win_browsers_remote_debugging.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", - "https://twitter.com/_felamos/status/1179811992841797632", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://github.com/defaultnamehere/cookie_crimes/", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.credential_access", + "attack.t1185" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "value": "Devtoolslauncher.exe Executes Specified Binary" + "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "value": "Browser Started with Remote Debugging" }, { "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", @@ -53384,14 +53338,14 @@ "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/02/21", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" ], "tags": [ @@ -53417,7 +53371,7 @@ } ], "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "value": "Judgement Panda Credential Access Activity" + "value": "Potential Russian APT Credential Theft Activity" }, { "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", @@ -53432,8 +53386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -53442,37 +53396,37 @@ "value": "Suspicious Kernel Dump Using Dtrace" }, { - "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Tim Rauch", "creation_date": "2022/09/27", "falsepositive": [ - "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" + "Other programs that cause these patterns (please report)" ], - "filename": "proc_creation_win_susp_7zip_dmp.yml", + "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml" + "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.lateral_movement", + "attack.t1021" ] }, "related": [ { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", - "value": "7Zip Compressing Dump Files" + "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "value": "Privilege Escalation via Named Pipe Impersonation" }, { "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", @@ -53487,8 +53441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -53574,10 +53528,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -53638,6 +53592,39 @@ "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", "value": "Blue Mockingbird" }, + { + "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/01", + "falsepositive": [ + "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" + ], + "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Kostastsale/status/1565257924204986369", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", + "value": "Suspicious Execution From GUID Like Folder Names" + }, { "description": "Detects creation of a scheduled task with a GUID like name", "meta": { @@ -53706,38 +53693,36 @@ "value": "Suspicious Key Manager Access" }, { - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "description": "Detects the stopping of a Windows service", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/14", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/05", "falsepositive": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], - "filename": "proc_creation_win_susp_servu_process_pattern.yml", - "level": "high", + "filename": "proc_creation_win_powershell_stop_service.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml" ], "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" + "attack.impact", + "attack.t1489" ] }, "related": [ { - "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "value": "Suspicious Serv-U Process Pattern" + "uuid": "c49c5062-0966-4170-9efd-9968c913a6cf", + "value": "Stop Windows Service Via PowerShell Stop-Service" }, { "description": "Detects file download using curl.exe", @@ -53807,6 +53792,41 @@ "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", "value": "Potential PowerShell Execution Via DLL" }, + { + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "meta": { + "author": "frack113", + "creation_date": "2022/01/30", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_takeown_recursive_own.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "value": "Suspicious Recursive Takeown" + }, { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "meta": { @@ -53908,37 +53928,38 @@ "value": "Suspicious Add Scheduled Command Pattern" }, { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", "meta": { - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "creation_date": "2020/10/10", + "author": "@pbssubhash , Nasreddine Bencherchali", + "creation_date": "2022/12/08", "falsepositive": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], - "filename": "proc_creation_win_root_certificate_installed.yml", - "level": "medium", + "filename": "proc_creation_win_werfault_lsass_shtinkering.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml" + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1553.004" + "attack.credential_access", + "attack.t1003.001" ] }, "related": [ { - "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", - "value": "Root Certificate Installed" + "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", + "value": "Potential Credential Dumping Via WER" }, { "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", @@ -53973,6 +53994,48 @@ "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", "value": "PUA- IOX Tunneling Tool Execution" }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" + }, { "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", "meta": { @@ -53986,8 +54049,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -54070,8 +54133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -54091,40 +54154,6 @@ "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "value": "Dllhost.EXE Execution Anomaly" }, - { - "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_char_in_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", - "value": "Obfuscated Command Line Using Special Unicode Characters" - }, { "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", "meta": { @@ -54200,6 +54229,40 @@ "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", "value": "Windows Admin Share Mount Via Net.EXE" }, + { + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_webdav_client_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "value": "WebDav Client Execution" + }, { "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "meta": { @@ -54303,6 +54366,41 @@ "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "value": "Renamed MegaSync Execution" }, + { + "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant", + "meta": { + "author": "Florian Roth (Nextron Systems), @41thexplorer", + "creation_date": "2018/11/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign", + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7453575c-a747-40b9-839b-125a0aae324b", + "value": "APT29 2018 Phishing Campaign CommandLine Indicators" + }, { "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", "meta": { @@ -54339,98 +54437,6 @@ "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", "value": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, - { - "description": "Detects activity that could be related to Baby Shark malware", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_babyshark.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1218.005" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "value": "Baby Shark Activity" - }, - { - "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_from_zip.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "related": [ - { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1a70042a-6622-4a2b-8958-267625349abf", - "value": "Run from a Zip File" - }, { "description": "Detects some Empire PowerShell UAC bypass methods", "meta": { @@ -54444,8 +54450,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -54514,8 +54520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -54593,42 +54599,6 @@ "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "value": "Suspicious Workstation Locking via Rundll32" }, - { - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "meta": { - "author": "@ROxPinTeddy", - "creation_date": "2020/05/12", - "falsepositive": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" - ], - "filename": "proc_creation_win_susp_rar_flags.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://ss64.com/bash/rar.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", - "value": "Rar Usage with Password and Compression Level" - }, { "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "meta": { @@ -54664,6 +54634,48 @@ "uuid": "93199800-b52a-4dec-b762-75212c196542", "value": "PUA - RunXCmd Execution" }, + { + "description": "Detects the use of \"DumpMinitool.exe\" a tool bundled with Visual Studio and DotNTET", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dumpminitool_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", + "value": "DumpMinitool Usage" + }, { "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "meta": { @@ -54731,6 +54743,43 @@ "uuid": "9248c7e1-2bf3-4661-a22c-600a8040b446", "value": "Potential Rundll32 Execution With DLL Stored In ADS" }, + { + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "meta": { + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_pua_rclone_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "value": "PUA - Rclone Execution" + }, { "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", "meta": { @@ -54764,56 +54813,6 @@ "uuid": "4b046706-5789-4673-b111-66f25fe99534", "value": "Deleted Data Overwritten Via Cipher.EXE" }, - { - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/06", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_add_user_remote_desktop.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" - ], - "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" - ] - }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "value": "Suspicious Add User to Remote Desktop Users Group" - }, { "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "meta": { @@ -54827,8 +54826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -54861,8 +54860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -54874,36 +54873,39 @@ "value": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, { - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", "meta": { - "author": "Max Altgelt (Nextron Systems)", - "creation_date": "2022/08/23", + "author": "Florian Roth (Nextron Systems), wagga", + "creation_date": "2020/12/23", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_sysnative.yml", - "level": "medium", + "filename": "proc_creation_win_apt_lazarus_group_activity.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysnative.yml" + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_group_activity.yml" ], "tags": [ - "attack.t1055" + "attack.g0032", + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", - "value": "Process Creation Using Sysnative Folder" + "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", + "value": "Lazarus Group Activity" }, { "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", @@ -54919,8 +54921,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vxunderground/status/1423336151860002816", - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -54948,6 +54950,83 @@ "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "value": "Esentutl Gather Credentials" }, + { + "description": "Use of hostname to get information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hostname_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", + "value": "Suspicious Execution of Hostname" + }, + { + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "value": "Process Access via TrolleyExpress Exclusion" + }, { "description": "Detects the use of NSudo tool for command execution", "meta": { @@ -54961,8 +55040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -55062,8 +55141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -55096,8 +55175,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ @@ -55207,14 +55286,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -55276,39 +55355,6 @@ "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "value": "Suspicious Msiexec Quiet Install From Remote Location" }, - { - "description": "Attackers can use explorer.exe for evading defense mechanisms", - "meta": { - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "creation_date": "2020/10/05", - "falsepositive": [ - "Legitimate explorer.exe run from cmd.exe" - ], - "filename": "proc_creation_win_susp_explorer.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", - "value": "Proxy Execution Via Explorer.exe" - }, { "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", "meta": { @@ -55454,41 +55500,6 @@ "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "value": "RDP Port Forwarding Rule Added Via Netsh.EXE" }, - { - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "meta": { - "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", - "creation_date": "2022/05/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ntlmrelay.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", - "https://twitter.com/med0x2e/status/1520402518685200384", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" - ] - }, - "related": [ - { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", - "value": "Suspicious NTLM Authentication on the Printer Spooler Service" - }, { "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "meta": { @@ -55502,8 +55513,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -55536,8 +55547,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -55557,6 +55568,41 @@ "uuid": "9f107a84-532c-41af-b005-8d12a607639f", "value": "Suspicious Cabinet File Expansion" }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/07", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + ], + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", + "value": "Use Short Name Path in Command Line" + }, { "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", "meta": { @@ -55702,8 +55748,8 @@ "logsource.product": "windows", "refs": [ "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" ], "tags": "No established tags" @@ -55711,6 +55757,30 @@ "uuid": "cea2b7ea-792b-405f-95a1-b903ea06458f", "value": "Manage Engine Java Suspicious Sub Process" }, + { + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", + "value": "Potential Signing Bypass Via Windows Developer Features" + }, { "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", "meta": { @@ -55745,39 +55815,6 @@ "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", "value": "Winnti Malware HK University Campaign" }, - { - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_winrm_awl_bypass.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "related": [ - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", - "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" - }, { "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", "meta": { @@ -55791,12 +55828,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -55839,9 +55876,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -55861,42 +55898,6 @@ "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", "value": "Regasm/Regsvcs Suspicious Execution" }, - { - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "meta": { - "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_browser_remote_debugging.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://github.com/defaultnamehere/cookie_crimes/", - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", - "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1185" - ] - }, - "related": [ - { - "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", - "value": "Browser Started with Remote Debugging" - }, { "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", "meta": { @@ -55930,6 +55931,40 @@ "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "value": "PUA - WebBrowserPassView Execution" }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "value": "User Discovery And Export Via Get-ADUser Cmdlet" + }, { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { @@ -55944,11 +55979,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -56049,12 +56084,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -56129,12 +56164,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/Hexacorn/status/885258886428725250", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -56167,8 +56202,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -56201,8 +56236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -56283,77 +56318,127 @@ "value": "HackTool - Windows Credential Editor (WCE) Execution" }, { - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", "meta": { - "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/09/06", + "author": "frack113", + "creation_date": "2021/11/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_install_reg_debugger_backdoor.yml", - "level": "high", + "filename": "proc_creation_win_hktl_zipexec.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" + "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml" ], "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" ] }, "related": [ { - "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", - "value": "Suspicious Debugger Registration Cmdline" + "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", + "value": "Suspicious ZipExec Execution" }, { - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "creation_date": "2019/10/24", + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/20", "falsepositive": [ - "Unlikely" + "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], - "filename": "proc_creation_win_lsass_dump.yml", - "level": "high", + "filename": "proc_creation_win_lolbin_pester.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" + "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "value": "LSASS Memory Dumping" + "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", + "value": "Execute Code with Pester.bat as Parent" }, { - "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/23", + "falsepositive": [ + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" + ], + "filename": "proc_creation_win_explorer_nouaccheck.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ORCA6665/status/1496478087244095491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "value": "Explorer NOUACCHECK Flag" + }, + { + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/28", @@ -56365,8 +56450,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -56384,7 +56470,7 @@ } ], "uuid": "efec536f-72e8-4656-8960-5e85d091345b", - "value": "Set Suspicious Files as System Files Using Attrib" + "value": "Set Suspicious Files as System Files Using Attrib.EXE" }, { "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", @@ -56399,8 +56485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -56438,6 +56524,74 @@ "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", "value": "NotPetya Ransomware Activity" }, + { + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "meta": { + "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" + ] + }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", + "value": "Suspicious Debugger Registration Cmdline" + }, + { + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ] + }, + "related": [ + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "value": "Potential Remote Desktop Tunneling" + }, { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { @@ -56472,6 +56626,56 @@ "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "value": "Potential Defense Evasion Via Binary Rename" }, + { + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/06", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" + ] + }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "value": "Suspicious Add User to Remote Desktop Users Group" + }, { "description": "Detects the malicious use of a control panel item", "meta": { @@ -56515,39 +56719,6 @@ "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "value": "Control Panel Items" }, - { - "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", - "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" - }, { "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", "meta": { @@ -56582,6 +56753,73 @@ "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "value": "Potential CVE-2021-26857 Exploitation Attempt" }, + { + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", + "value": "Potential Persistence Via Microsoft Compatibility Appraiser" + }, + { + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "meta": { + "author": "Florian Roth (Nextron Systems), Maxime Thiebaut", + "creation_date": "2021/08/23", + "falsepositive": [ + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + ], + "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://streamable.com/q2dsji", + "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_razorinstaller_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1553" + ] + }, + "related": [ + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "value": "Suspicious RazerInstaller Explorer Subprocess" + }, { "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "meta": { @@ -56595,11 +56833,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://blog.alyac.co.kr/1901", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://blog.alyac.co.kr/1901", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -56670,6 +56908,73 @@ "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "value": "UAC Bypass via Windows Firewall Snap-In Hijack" }, + { + "description": "Use of reg to get MachineGuid information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_machineguid.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", + "value": "Suspicious Query of MachineGUID" + }, + { + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "value": "InfDefaultInstall.exe .inf Execution" + }, { "description": "Detects when a share is mounted using the \"net.exe\" utility", "meta": { @@ -56717,8 +57022,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -56752,9 +57057,9 @@ "logsource.product": "windows", "refs": [ "https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/", - "https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_41379.yml" ], "tags": [ @@ -56787,9 +57092,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534957360032120833", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://twitter.com/nas_bench/status/1534957360032120833", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -56826,56 +57131,6 @@ "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "value": "WinDbg/CDB LOLBIN Usage" }, - { - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "meta": { - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate administrator working with shadow copies, access for backup purposes" - ], - "filename": "proc_creation_win_shadow_copies_creation.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "value": "Shadow Copies Creation Using Operating Systems Utilities" - }, { "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "meta": { @@ -56889,8 +57144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", + "https://github.com/cw1997/NATBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -56925,8 +57180,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -56980,6 +57235,39 @@ "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "value": "Renamed SysInternals DebugView Execution" }, + { + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_conhost_susp_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", + "value": "Conhost Parent Process Executions" + }, { "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "meta": { @@ -57014,38 +57302,37 @@ "value": "Suspicious Rundll32 Invoking Inline VBScript" }, { - "description": "Attackers can use print.exe for remote file copy", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "creation_date": "2020/10/05", + "author": "frack113", + "creation_date": "2021/07/27", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_print.yml", + "filename": "proc_creation_win_winzip_password_compression.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", - "https://lolbas-project.github.io/lolbas/Binaries/Print/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218" + "attack.collection", + "attack.t1560.001" ] }, "related": [ { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", - "value": "Abusing Print Executable" + "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", + "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, { "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", @@ -57060,8 +57347,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -57081,102 +57368,6 @@ "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", "value": "Use of W32tm as Timer" }, - { - "description": "Detects Elise backdoor acitivty as used by APT32", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/01/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_elise.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" - ], - "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" - ] - }, - "related": [ - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", - "value": "Elise Backdoor" - }, - { - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "meta": { - "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)", - "creation_date": "2022/06/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_office_exploit_via_directory_traversal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444", - "https://twitter.com/sbousseaden/status/1531653369546301440", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exploit_via_directory_traversal.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion" - ] - }, - "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", - "value": "Potential Exploitation Attempt From Office Application" - }, - { - "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/04/20", - "falsepositive": [ - "Should not be any false positives" - ], - "filename": "proc_creation_win_apt_lazarus_activity_apr21.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1106" - ] - }, - "related": [ - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", - "value": "Lazarus Activity Apr21" - }, { "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", "meta": { @@ -57210,81 +57401,6 @@ "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", "value": "Webshell Recon Detection Via CommandLine & Processes" }, - { - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_copy_browser_data.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.003" - ] - }, - "related": [ - { - "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", - "value": "Potential Browser Data Stealing" - }, - { - "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", - "meta": { - "author": "Janantha Marasinghe", - "creation_date": "2020/09/26", - "falsepositive": [ - "This may have false positives on hosts where Virtualbox is legitimately being used for operations" - ], - "filename": "proc_creation_win_run_virtualbox.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.006", - "attack.t1564" - ] - }, - "related": [ - { - "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bab049ca-7471-4828-9024-38279a4c04da", - "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" - }, { "description": "Execute VBscript code that is referenced within the *.bgi file.", "meta": { @@ -57336,6 +57452,73 @@ "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", "value": "Application Whitelisting Bypass via Bginfo" }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_zip_compress.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "value": "Zip A Folder With PowerShell For Staging In Temp" + }, + { + "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_del_greedy_deletion.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "204b17ae-4007-471b-917b-b917b315c5db", + "value": "Greedy File Deletion Using Del" + }, { "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "meta": { @@ -57349,8 +57532,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], @@ -57375,9 +57558,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -57439,49 +57622,6 @@ "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", "value": "UAC Bypass Using IEInstal - Process" }, - { - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", - "meta": { - "author": "frack113", - "creation_date": "2021/11/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_zipexec.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", - "https://github.com/Tylous/ZipExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "value": "Suspicious ZipExec Execution" - }, { "description": "Well-known DNS Exfiltration tools execution", "meta": { @@ -57610,10 +57750,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://curl.se/docs/manpage.html", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_fileupload.yml" ], "tags": [ @@ -57654,9 +57794,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -57709,29 +57849,6 @@ "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "value": "Suspicious Rundll32 Activity Invoking Sys File" }, - { - "description": "Detects encoded base64 MZ header in the commandline", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_inline_base64_mz_header.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "value": "Base64 MZ Header In CommandLine" - }, { "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", "meta": { @@ -57779,8 +57896,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], @@ -57801,40 +57918,6 @@ "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", "value": "Potential Arbitrary Command Execution Using Msdt.EXE" }, - { - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Legitimate use for administartive purposes. Unlikely" - ], - "filename": "proc_creation_win_susp_winrm_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://twitter.com/bohops/status/994405551751815170", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "related": [ - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "value": "Remote Code Execute via Winrm.vbs" - }, { "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", "meta": { @@ -57884,6 +57967,82 @@ "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", "value": "Sysmon Driver Unloaded Via Fltmc.EXE" }, + { + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "meta": { + "author": "xknow @xknow_infosec, Tim Shelton", + "creation_date": "2020/06/11", + "falsepositive": [ + "Java tools are known to produce false-positive when loading libraries" + ], + "filename": "proc_creation_win_cmd_path_traversal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", + "value": "Potential CommandLine Path Traversal Via Cmd.EXE" + }, + { + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "meta": { + "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "value": "Curl Download And Execute Combination" + }, { "description": "Detects a suspicious copy command to or from an Admin share or remote", "meta": { @@ -57897,10 +58056,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -58005,6 +58164,40 @@ "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "value": "HackTool - ADCSPwn Execution" }, + { + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/06/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_sysprep_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "value": "Sysprep on AppData Folder" + }, { "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", "meta": { @@ -58072,75 +58265,66 @@ "value": "PowerShell Get-Process LSASS" }, { - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "description": "Detects AdFind execution with common flags seen used during attacks", "meta": { - "author": "Ilya Krestinichev", - "creation_date": "2022/11/03", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "creation_date": "2021/02/02", "falsepositive": [ - "False positive could occur in admin scripts that execute inline" + "Legitimate admin activity" ], - "filename": "proc_creation_win_susp_ping_del_combined_execution.yml", + "filename": "proc_creation_win_pua_adfind_susp_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del_combined_execution.yml" + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" ] }, "related": [ { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "value": "Suspicious Ping/Del Command Combination" - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ntfs_short_name_use_image.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "related": [ - { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "value": "Use NTFS Short Name in Image" + "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", + "value": "PUA - AdFind Suspicious Execution" }, { "description": "Detects execution of curl.exe with custom useragent options", @@ -58156,8 +58340,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_useragent.yml" ], "tags": [ @@ -58180,18 +58364,18 @@ { "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", "meta": { - "author": "Georg Lauenstein", + "author": "Georg Lauenstein (sure[secure])", "creation_date": "2022/09/19", "falsepositive": [ - "Other programs that use the same command line flags" + "Unlikely" ], "filename": "proc_creation_win_hktl_winpeas.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -58240,8 +58424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -58262,73 +58446,40 @@ "value": "Root Certificate Installed From Susp Locations" }, { - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", "meta": { - "author": "Christian Burkard (Nextron Systems)", - "creation_date": "2021/10/26", + "author": "Sreeman", + "creation_date": "2020/01/13", "falsepositive": [ - "Google Drive", - "Citrix" + "Unknown" ], - "filename": "proc_creation_win_commandline_path_traversal_evasion.yml", + "filename": "proc_creation_win_susp_task_folder_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", - "https://twitter.com/hexacorn/status/1448037865435320323", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://twitter.com/subTee/status/1216465628946563073", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036" + "attack.persistence", + "attack.execution", + "attack.t1574.002" ] }, "related": [ { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "value": "Command Line Path Traversal Evasion" - }, - { - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_infdefaultinstall.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", - "value": "InfDefaultInstall.exe .inf Execution" + "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "value": "Tasks Folder Evasion" }, { "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", @@ -58365,39 +58516,40 @@ "value": "Suspicious Modification Of Scheduled Tasks" }, { - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "meta": { - "author": "_pete_0, TheDFIRReport", - "creation_date": "2022/05/06", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/23", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_cobaltstrike_bloopers_modules.yml", + "filename": "proc_creation_win_hktl_selectmyparent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "attack.defense_evasion", + "attack.t1134.004" ] }, "related": [ { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "value": "Operator Bloopers Cobalt Strike Modules" + "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", + "value": "HackTool - PPID Spoofing SelectMyParent Tool Execution" }, { "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", @@ -58433,29 +58585,6 @@ "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", "value": "Execution via CL_Invocation.ps1" }, - { - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/11/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_command_flag_pattern.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", - "value": "Suspicious RunAs-Like Flag Combination" - }, { "description": "Detects netsh commands that turns off the Windows firewall", "meta": { @@ -58469,8 +58598,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], @@ -58559,9 +58688,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -58587,16 +58716,16 @@ "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/03/09", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_win_apt_hafnium.yml", - "level": "high", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" @@ -58624,7 +58753,41 @@ } ], "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "value": "Exchange Exploitation Activity" + "value": "HAFNIUM Exchange Exploitation Activity" + }, + { + "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_rmdir_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "41ca393d-538c-408a-ac27-cf1e038be80c", + "value": "Directory Removal Via Rmdir" }, { "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", @@ -58639,8 +58802,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], @@ -58682,8 +58845,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": "No established tags" @@ -58716,95 +58879,38 @@ "value": "Add New Windows Capability - ProcCreation" }, { - "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Admin activity" - ], - "filename": "proc_creation_win_change_default_file_association.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.001" - ] - }, - "related": [ - { - "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", - "value": "Change Default File Association" - }, - { - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/01/16", + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "creation_date": "2020/10/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_vul_java_remote_debugging.yml", + "filename": "proc_creation_win_registry_cimprovider_dll_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml" ], "tags": [ - "attack.t1203", - "attack.execution" + "attack.defense_evasion", + "attack.t1574" ] }, "related": [ { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", - "value": "Java Running with Remote Debugging" - }, - { - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "meta": { - "author": "Andreas Hunkeler (@Karneades), Florian Roth", - "creation_date": "2021/12/17", - "falsepositive": [ - "Legitimate calls to system binaries", - "Company specific internal usage" - ], - "filename": "proc_creation_win_susp_shell_spawn_by_java.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "value": "Suspicious Shells Spawned by Java" + "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", + "value": "DLL Execution Via Register-cimprovider.exe" }, { "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", @@ -58819,10 +58925,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -58886,6 +58992,51 @@ "uuid": "970823b7-273b-460a-8afc-3a6811998529", "value": "Uncommon One Time Only Scheduled Task At 00:00" }, + { + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "meta": { + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + ], + "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" + ] + }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "value": "Copying Sensitive Files with Credential Data" + }, { "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "meta": { @@ -58955,6 +59106,81 @@ "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", "value": "Use of UltraVNC Remote Access Software" }, + { + "description": "Detects suspicious file execution by wscript and cscript", + "meta": { + "author": "Michael Haag", + "creation_date": "2019/01/16", + "falsepositive": [ + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + ], + "filename": "proc_creation_win_script_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "value": "WSF/JSE/JS/VBA/VBE File Execution" + }, + { + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "value": "Operator Bloopers Cobalt Strike Modules" + }, { "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", "meta": { @@ -58994,7 +59220,7 @@ } ], "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "value": "Scheduled Task WScript VBScript" + "value": "Potential ACTINIUM Persistence Activity" }, { "description": "Detects usage of wmic to start or stop a service", @@ -59082,7 +59308,7 @@ "author": "Aaron Herman", "creation_date": "2022/10/01", "falsepositive": [ - "Legitimate applications installed on other partitions such as \"D:\"" + "Legitimate scripts located on other partitions such as \"D:\"" ], "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", "level": "medium", @@ -59144,58 +59370,59 @@ "value": "Visual Basic Command Line Compiler Usage" }, { - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/26", + "author": "Florian Roth (Nextron Systems), Hieu Tran", + "creation_date": "2023/03/13", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_web_sysaidserver.yml", + "filename": "proc_creation_win_powershell_download_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml" ], "tags": "No established tags" }, - "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", - "value": "Suspicious SysAidServer Child" + "uuid": "0f0450f3-8b47-441e-a31b-15a91dc243e2", + "value": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, { - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", "meta": { - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", - "creation_date": "2020/10/05", + "author": "frack113", + "creation_date": "2022/01/15", "falsepositive": [ - "Unknown" + "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" ], - "filename": "proc_creation_win_non_priv_reg_or_ps.yml", - "level": "high", + "filename": "proc_creation_win_cmd_del_execution.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1070.004" ] }, "related": [ { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", - "value": "Non-privileged Usage of Reg or Powershell" + "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", + "value": "File Deletion Via Del" }, { "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", @@ -59230,72 +59457,6 @@ "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", "value": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, - { - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_obfuscated_ip_via_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://h.43z.one/ipconverter/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" - ], - "tags": [ - "attack.discovery" - ] - }, - "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", - "value": "Obfuscated IP Via CLI" - }, - { - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" - ], - "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" - ] - }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", - "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" - }, { "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "meta": { @@ -59309,11 +59470,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/egre55/status/1087685529016193025", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -59346,8 +59507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -59399,47 +59560,6 @@ "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "value": "HackTool - Mimikatz Execution" }, - { - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "meta": { - "author": "Max Altgelt (Nextron Systems)", - "creation_date": "2022/04/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_creative_cloud_node_abuse.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mttaggart/status/1511804863293784064", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" - ] - }, - "related": [ - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", - "value": "Node Process Executions" - }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "meta": { @@ -59509,6 +59629,60 @@ "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "value": "Firewall Rule Deleted Via Netsh.EXE" }, + { + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", + "value": "Remote File Download via Desktopimgdownldr Utility" + }, + { + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml" + ], + "tags": "No established tags" + }, + "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "value": "Suspicious Windows Update Agent Empty Cmdline" + }, { "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", "meta": { @@ -59524,8 +59698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" ], "tags": [ @@ -59546,82 +59720,7 @@ "value": "Suspicious Copy From or To System32" }, { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "value": "Invoke-Obfuscation Via Use MSHTA" - }, - { - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "meta": { - "author": "frack113", - "creation_date": "2021/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_winzip.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winzip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", - "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" - }, - { - "description": "Marks a file as a system file using the attrib.exe utility", + "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", "meta": { "author": "frack113", "creation_date": "2022/02/04", @@ -59633,8 +59732,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -59652,7 +59752,7 @@ } ], "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", - "value": "Set Windows System File with Attrib" + "value": "Set Files as System Files Using Attrib.EXE" }, { "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", @@ -59667,8 +59767,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -59864,8 +59964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -59906,11 +60006,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/cglyer/status/1355171195654709249", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -59977,9 +60077,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_maze_ransomware.yml" ], "tags": [ @@ -60064,9 +60164,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], @@ -60100,9 +60200,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/hfiref0x/UACME", + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -60136,8 +60236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -60174,6 +60274,39 @@ "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", "value": "Droppers Exploiting CVE-2017-11882" }, + { + "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_cmd_assoc_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ] + }, + "related": [ + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", + "value": "Change Default File Association Via Assoc" + }, { "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", "meta": { @@ -60187,8 +60320,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -60276,6 +60409,40 @@ "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "value": "Findstr LSASS" }, + { + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" + }, { "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", "meta": { @@ -60365,30 +60532,70 @@ "value": "Suspicious Hacktool Execution - Imphash" }, { - "description": "Detects use of executionpolicy option to set insecure policies", + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", "meta": { - "author": "frack113", - "creation_date": "2021/11/01", + "author": "Aedan Russell, frack113 (sigma)", + "creation_date": "2022/06/19", "falsepositive": [ - "Administrator script" + "Unknown" ], - "filename": "proc_creation_win_set_policies_to_unsecure_level.yml", - "level": "medium", + "filename": "proc_creation_win_browsers_chrome_load_extension.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chrome_load_extension.yml" ], "tags": [ + "attack.persistence", + "attack.t1176" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "value": "Powershell ChromeLoader Browser Hijacker" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -60397,43 +60604,8 @@ "type": "related-to" } ], - "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", - "value": "Change PowerShell Policies to an Insecure Level" - }, - { - "description": "This rule detects the execution of Run Once task as configured in the registry", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_runonce_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", - "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", - "value": "Run Once Task Execution as Configured in Registry" + "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", + "value": "Invoke-Obfuscation VAR+ Launcher" }, { "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", @@ -60448,8 +60620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://taggart-tech.com/quasar-electron/", "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -60501,39 +60673,6 @@ "uuid": "b66474aa-bd92-4333-a16c-298155b120df", "value": "Potential Persistence Via Powershell Search Order Hijacking - Task" }, - { - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "meta": { - "author": "frack113", - "creation_date": "2022/02/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_tor_browser.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.003" - ] - }, - "related": [ - { - "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", - "value": "Tor Client/Browser Execution" - }, { "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", "meta": { @@ -60547,9 +60686,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": "No established tags" @@ -60558,37 +60697,46 @@ "value": "HackTool - PCHunter Execution" }, { - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/06", + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_inline_win_api_access.yml", + "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/m417z/status/1566674631788007425", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml" ], "tags": [ + "attack.defense_evasion", + "attack.t1027", "attack.execution", - "attack.t1106" + "attack.t1059.001" ] }, "related": [ { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "value": "Potential WinAPI Calls Via CommandLine" + "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher" }, { "description": "Local accounts, System Owner/User discovery using operating systems utilities", @@ -60631,39 +60779,6 @@ "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, - { - "description": "schtasks.exe create task from user AppData\\Local\\Temp", - "meta": { - "author": "frack113", - "creation_date": "2021/11/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_schtasks_user_temp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_user_temp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", - "value": "Suspicious Add Scheduled Task From User AppData Temp" - }, { "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", "meta": { @@ -60731,6 +60846,48 @@ "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, + { + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" + ], + "tags": [ + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" + }, { "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", "meta": { @@ -60744,8 +60901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml" ], @@ -60923,9 +61080,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://twitter.com/pabraeken/status/990758590020452353", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -61078,70 +61235,79 @@ "value": "Hidden Powershell in Link File Pattern" }, { - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2021/12/13", + "author": "Max Altgelt (Nextron Systems)", + "creation_date": "2022/04/06", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_where_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1217" - ] - }, - "related": [ - { - "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", - "value": "Suspicious Where Execution" - }, - { - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/04/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_vaultcmd.yml", + "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml" + "https://twitter.com/mttaggart/status/1511804863293784064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml" ], "tags": [ - "attack.credential_access", - "attack.t1555.004" + "attack.defense_evasion", + "attack.t1127", + "attack.t1059.007" ] }, "related": [ { - "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", - "value": "Windows Credential Manager Access via VaultCmd" + "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "value": "Node Process Executions" + }, + { + "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/27", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f35c5d71-b489-4e22-a115-f003df287317", + "value": "CobaltStrike Process Patterns" }, { "description": "Detects usage of the wevtutil utility to perform reconnaissance", @@ -61179,8 +61345,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], @@ -61191,6 +61357,39 @@ "uuid": "a20def93-0709-4eae-9bd2-31206e21e6b2", "value": "DriverQuery.EXE Execution" }, + { + "description": "Detects a process memory dump performed by RdrLeakDiag.exe", + "meta": { + "author": "Cedric MAURUGEON", + "creation_date": "2021/09/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "value": "Process Dump via RdrLeakDiag.exe" + }, { "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", "meta": { @@ -61235,76 +61434,6 @@ "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "value": "SOURGUM Actor Behaviours" }, - { - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_shadowcopy_deletion_via_powershell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" - }, - { - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_rpcping.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/873181705024266241", - "https://twitter.com/vysecurity/status/974806438316072960", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", - "value": "Capture Credentials with Rpcping.exe" - }, { "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "meta": { @@ -61319,9 +61448,9 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -61388,8 +61517,8 @@ "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/mshta.exe", - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -61422,8 +61551,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -61451,6 +61580,40 @@ "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, + { + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "meta": { + "author": "Austin Songer (@austinsonger)", + "creation_date": "2021/10/21", + "falsepositive": [ + "Legitimate usage of stordiag.exe." + ], + "filename": "proc_creation_win_stordiag_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "value": "Execution via stordiag.exe" + }, { "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", "meta": { @@ -61465,8 +61628,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -61520,6 +61683,39 @@ "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "value": "Application Removed Via Wmic.EXE" }, + { + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_private_keys_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", + "value": "Private Keys Reconnaissance Via CommandLine Tools" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "meta": { @@ -61553,40 +61749,6 @@ "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "value": "Changing Existing Service ImagePath Value Via Reg.EXE" }, - { - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "meta": { - "author": "Konstantin Grishchenko, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" - ], - "filename": "proc_creation_win_susp_vboxdrvinst.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "value": "Suspicious VBoxDrvInst.exe Parameters" - }, { "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", "meta": { @@ -61626,7 +61788,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/12/18", "falsepositive": [ - "Unknown" + "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml", "level": "high", @@ -61654,47 +61816,37 @@ "value": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, { - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/10", + "author": "Tim Rauch", + "creation_date": "2022/09/28", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_trolleyexpress_procdump.yml", + "filename": "proc_creation_win_conhost_susp_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=Ie831jF0bb0", - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" + "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_parent.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "value": "Process Access via TrolleyExpress Exclusion" + "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "value": "Conhost Spawned By Suspicious Parent Process" }, { "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", @@ -61744,8 +61896,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml" ], @@ -61779,8 +61931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml" ], "tags": [ @@ -61811,16 +61963,17 @@ { "description": "Detects possible payload obfuscation via the commandline", "meta": { - "author": "frack113", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/02/15", "falsepositive": [ - "Legitimate use" + "Unknown" ], "filename": "proc_creation_win_cmd_dosfuscation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], @@ -61839,40 +61992,7 @@ } ], "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", - "value": "Suspicious Dosfuscation Character in Commandline" - }, - { - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "meta": { - "author": "frack113", - "creation_date": "2021/07/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_discover_private_keys.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ] - }, - "related": [ - { - "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", - "value": "Discover Private Keys" + "value": "Potential Dosfuscation Activity" }, { "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", @@ -61916,40 +62036,6 @@ "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Potential Encoded PowerShell Patterns In CommandLine" }, - { - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "meta": { - "author": "Sreeman", - "creation_date": "2020/10/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_credential_access_via_password_filter.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ] - }, - "related": [ - { - "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", - "value": "Dropping Of Password Filter DLL" - }, { "description": "Detects commands used by Turla group as reported by ESET in May 2020", "meta": { @@ -62035,72 +62121,38 @@ "value": "File Download Using ProtocolHandler.exe" }, { - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/12", + "author": "Sreeman", + "creation_date": "2020/10/29", "falsepositive": [ - "Administrative activity" + "Unknown" ], - "filename": "proc_creation_win_susp_add_local_admin.yml", + "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml" + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.credential_access", + "attack.t1556.002" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "value": "Add User to Local Administrators" - }, - { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", - "meta": { - "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", - "creation_date": "2019/10/24", - "falsepositive": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." - ], - "filename": "proc_creation_win_web_request_cmd_and_cmdlets.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", - "value": "Usage Of Web Request Commands And Cmdlets" + "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", + "value": "Dropping Of Password Filter DLL" }, { "description": "Detects a command used by conti to dump database", @@ -62115,9 +62167,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_database_dump.yml" ], "tags": [ @@ -62137,39 +62189,6 @@ "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", "value": "Potential Conti Ransomware Database Dumping Activity" }, - { - "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/04", - "falsepositive": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" - ], - "filename": "proc_creation_win_susp_winrar_dmp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", - "value": "Winrar Compressing Dump Files" - }, { "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "meta": { @@ -62183,9 +62202,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], @@ -62282,49 +62301,7 @@ } ], "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", - "value": "Services Started Via Net.EXE" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_stdin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher" + "value": "Start Windows Service Via Net.EXE" }, { "description": "Detects user accept agreement execution in psexec commandline", @@ -62402,10 +62379,79 @@ "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", "value": "Potential Conti Ransomware Activity" }, + { + "description": "Detects suspicious process related to rasdial.exe", + "meta": { + "author": "juju4", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_rasdial_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/subTee/status/891298217907830785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "value": "Suspicious RASdial Activity" + }, + { + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_service_creation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "related": [ + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "value": "Suspicious New Service Creation" + }, { "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", "meta": { - "author": "FPT.EagleEye, Nasreddine Bencherchali", + "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/03/03", "falsepositive": [ "Unknown" @@ -62415,9 +62461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -62565,38 +62611,36 @@ "value": "Suspicious Plink Port Forwarding" }, { - "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", "meta": { - "author": "frack113", - "creation_date": "2022/10/01", + "author": "Sreeman", + "creation_date": "2021/06/11", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_logoff.yml", + "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml" ], "tags": [ - "attack.impact", - "attack.t1529" + "attack.defense_evasion", + "attack.t1562" ] }, "related": [ { - "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", - "value": "Suspicious Execution of Shutdown to Log Out" + "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "value": "Write Protect For Storage Disabled" }, { "description": "Detects when verclsid.exe is used to run COM object via GUID", @@ -62611,9 +62655,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -62646,8 +62690,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml" ], "tags": [ @@ -62670,38 +62714,81 @@ "value": "Regsvr32 Anomaly" }, { - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { - "author": "frack113", - "creation_date": "2022/12/11", + "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", + "creation_date": "2023/02/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_create_link_osk_cmd.yml", - "level": "high", + "filename": "proc_creation_win_wmic_recon_product_class.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ - "attack.credential_access", - "attack.t1546.008" + "attack.execution", + "attack.t1047", + "car.2016-03-002" ] }, "related": [ { - "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e9b61244-893f-427c-b287-3e708f321c6b", - "value": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" + "uuid": "e568650b-5dcd-4658-8f34-ded0b1e13992", + "value": "Potential Product Class Reconnaissance Via Wmic.EXE" + }, + { + "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dumpminitool_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "value": "Suspicious DumpMinitool Usage" }, { "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", @@ -62724,6 +62811,41 @@ "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", "value": "Execution of Powershell Script in Public Folder" }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/07", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", + "value": "Use Short Name Path in Image" + }, { "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", "meta": { @@ -62739,8 +62861,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -62760,29 +62882,6 @@ "uuid": "add64136-62e5-48ea-807e-88638d02df1e", "value": "Fsutil Suspicious Invocation" }, - { - "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_netsupport_rat_exec_location.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "37e8d358-6408-4853-82f4-98333fca7014", - "value": "Execution of NetSupport RAT From Unusual Location" - }, { "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "meta": { @@ -62830,8 +62929,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -62861,37 +62960,27 @@ "value": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { - "description": "Detects the execution of CSharp interactive console by PowerShell", + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "meta": { - "author": "Michael R. (@nahamike01)", - "creation_date": "2020/03/08", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/01/11", "falsepositive": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + "Unknown" ], - "filename": "proc_creation_win_susp_use_of_csharp_console.yml", + "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml" + "https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml" ], "tags": [ - "attack.execution", - "attack.t1127" + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", - "value": "Suspicious Use of CSharp Interactive Console" + "uuid": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "value": "Potential PowerShell Execution Policy Tampering - ProcCreation" }, { "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", @@ -62906,8 +62995,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -62928,41 +63017,32 @@ "value": "Renamed Sysinternals Sdelete Execution" }, { - "description": "Detects a Windows program executable started from a suspicious folder", + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", "meta": { - "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", - "creation_date": "2017/11/27", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "creation_date": "2021/12/17", "falsepositive": [ - "Exotic software" + "Legitimate calls to system binaries", + "Company specific internal usage" ], - "filename": "proc_creation_win_system_exe_anomaly.yml", - "level": "high", + "filename": "proc_creation_win_java_susp_child_process_2.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/39828/", - "https://twitter.com/GelosSnake/status/934900723426439170", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1036" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ] }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "value": "System File Execution Location Anomaly" + "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "value": "Shells Spawned by Java" }, { - "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", + "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", @@ -62992,7 +63072,7 @@ } ], "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", - "value": "Suspicious Recon Activity Using Findstr Keywords" + "value": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" }, { "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", @@ -63007,12 +63087,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -63081,11 +63161,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", - "https://www.joesandbox.com/analysis/443736/0/html", - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://www.joesandbox.com/analysis/443736/0/html", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -63106,65 +63186,6 @@ "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", "value": "REvil Kaseya Incident Malware Patterns" }, - { - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_obfuscated_ip_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://h.43z.one/ipconverter/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" - ], - "tags": [ - "attack.discovery" - ] - }, - "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", - "value": "Obfuscated IP Download" - }, - { - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "meta": { - "author": "Wojciech Lesicki", - "creation_date": "2021/06/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cobaltstrike_load_by_rundll32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/threat-detection-report/", - "https://www.cobaltstrike.com/help-windows-executable", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", - "value": "CobaltStrike Load by Rundll32" - }, { "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", "meta": { @@ -63201,8 +63222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -63251,40 +63272,73 @@ "value": "Potential Network Sniffing Activity Using Network Tools" }, { - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/23", + "creation_date": "2018/03/17", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_selectmyparent.yml", + "filename": "proc_creation_win_tscon_localsystem.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1134.004" + "attack.command_and_control", + "attack.t1219" ] }, "related": [ { - "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", - "value": "PPID Spoofing Tool Usage" + "uuid": "9847f263-4a81-424f-970c-875dab15b79b", + "value": "Suspicious TSCON Start as SYSTEM" + }, + { + "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/14", + "falsepositive": [ + "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" + ], + "filename": "proc_creation_win_lolbin_dotnet_dump.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", + "https://twitter.com/bohops/status/1635288066909966338", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", + "value": "Process Memory Dump Via Dotnet-Dump" }, { "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", @@ -63442,37 +63496,77 @@ "value": "PUA - CsExec Execution" }, { - "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", "meta": { "author": "frack113", - "creation_date": "2022/02/04", + "creation_date": "2022/04/08", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_cmd_redirect_to_stream.yml", + "filename": "proc_creation_win_vaultcmd_list_creds.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect_to_stream.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1555.004" ] }, "related": [ { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", - "value": "Cmd Stream Redirection" + "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "value": "Windows Credential Manager Access via VaultCmd" + }, + { + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "meta": { + "author": "FPT.EagleEye Team, wagga", + "creation_date": "2020/12/11", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mssql_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml" + ], + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "value": "Suspicious Shells Spawn by SQL Server" }, { "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", @@ -63487,8 +63581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -63584,6 +63678,40 @@ "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "value": "Computer System Reconnaissance Via Wmic.EXE" }, + { + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "System administrator usage", + "Anti virus products" + ], + "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "value": "Always Install Elevated Windows Installer" + }, { "description": "Atbroker executing non-deafualt Assistive Technology applications", "meta": { @@ -63597,8 +63725,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -63618,48 +63746,6 @@ "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "value": "Suspicious Atbroker Execution" }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "meta": { - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "creation_date": "2019/11/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation" - }, { "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", "meta": { @@ -63673,9 +63759,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/fireeye/DueDLLigence", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -63729,88 +63815,61 @@ "value": "Enumeration for Credentials in Registry" }, { - "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", "meta": { - "author": "frack113", - "creation_date": "2022/12/09", + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/06", "falsepositive": [ - "Very Likely, including launching cmd.exe via Run As Administrator" + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], - "filename": "proc_creation_win_susp_conhost_option.yml", - "level": "informational", + "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" + "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1112" ] }, "related": [ { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", - "value": "Suspicious High IntegrityLevel Conhost Legacy Option" + "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", + "value": "Suspicious VBoxDrvInst.exe Parameters" }, { - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "description": "Detects encoded base64 MZ header in the commandline", "meta": { - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", - "creation_date": "2021/12/17", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/12", "falsepositive": [ - "Legitimate calls to system binaries", - "Company specific internal usage" + "Unlikely" ], - "filename": "proc_creation_win_shell_spawn_by_java.yml", - "level": "medium", + "filename": "proc_creation_win_susp_inline_base64_mz_header.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml" + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml" ], "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" + "attack.execution" ] }, - "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", - "value": "Shells Spawned by Java" - }, - { - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "meta": { - "author": "frack113", - "creation_date": "2022/11/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_msbuild.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", - "value": "Suspicious Msbuild Execution By Uncommon Parent Process" + "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "value": "Base64 MZ Header In CommandLine" }, { "description": "Detects the creation of scheduled tasks in user session", @@ -63850,74 +63909,71 @@ "value": "Scheduled Task Creation" }, { - "description": "Detects a code page switch in command line or batch scripts to a rare language", + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/10/14", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/07/14", "falsepositive": [ - "Administrative activity (adjust code pages according to your organisation's region)" + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], - "filename": "proc_creation_win_susp_codepage_switch.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" - ], - "tags": [ - "attack.t1036", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", - "value": "Suspicious Code Page Switch" - }, - { - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/12/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_chromium_headless_debugging.yml", + "filename": "proc_creation_win_servu_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://github.com/defaultnamehere/cookie_crimes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml" ], "tags": [ "attack.credential_access", - "attack.t1185" + "attack.t1555", + "cve.2021.35211" ] }, "related": [ { - "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", - "value": "Potential Data Stealing Via Chromium Headless Debugging" + "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "value": "Suspicious Serv-U Process Pattern" + }, + { + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_where_browser_data_recon.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", + "value": "Suspicious Where Execution" }, { "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", @@ -63934,8 +63990,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -63989,39 +64045,6 @@ "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "value": "Potential NTLM Coercion Via Certutil.EXE" }, - { - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/02/11", - "falsepositive": [ - "Legitimate use by administrative staff" - ], - "filename": "proc_creation_win_susp_screenconnect_access.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ] - }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", - "value": "ScreenConnect Remote Access" - }, { "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "meta": { @@ -64090,6 +64113,30 @@ "uuid": "ed825c86-c009-4014-b413-b76003e33d35", "value": "Windows Binary Executed From WSL" }, + { + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement" + ] + }, + "uuid": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", + "value": "HackTool - Wmiexec Default Powershell Command" + }, { "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", "meta": { @@ -64149,76 +64196,6 @@ "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", "value": "Potential SquiblyTwo Technique Execution" }, - { - "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/12/23", - "falsepositive": [ - "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" - ], - "filename": "proc_creation_win_apt_lazarus_activity_dec20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", - "value": "Lazarus Activity Dec20" - }, - { - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_gamaredon_ultravnc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" - ] - }, - "related": [ - { - "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", - "value": "Suspicious UltraVNC Execution" - }, { "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", "meta": { @@ -64320,6 +64297,29 @@ "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "value": "Ie4uinit Lolbin Use From Invalid Path" }, + { + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "value": "NtdllPipe Like Activity Execution" + }, { "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", "meta": { @@ -64335,9 +64335,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://vms.drweb.fr/virus/?i=24144899", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -64370,8 +64370,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -64392,48 +64392,6 @@ "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", "value": "PUA - Mouse Lock Execution" }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_compress.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" - }, { "description": "Detects the export of the target Registry key to a file.", "meta": { @@ -64447,8 +64405,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -64552,6 +64510,137 @@ "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", "value": "Exploit for CVE-2017-0261" }, + { + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/14", + "falsepositive": [ + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" + ], + "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "value": "Weak or Abused Passwords In CLI" + }, + { + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/02/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_cmd_sticky_keys_replace.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" + ], + "tags": [ + "attack.t1546.008", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "value": "Persistence Via Sticky Key Backdoor" + }, + { + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "meta": { + "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/03/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ] + }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "value": "Sticky Key Like Backdoor Execution" + }, + { + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "meta": { + "author": "Florian Roth (Nextron Systems), Tigzy", + "creation_date": "2021/11/17", + "falsepositive": [ + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + ], + "filename": "proc_creation_win_winrar_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1460978167628406785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_execution.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", + "value": "Winrar Execution in Non-Standard Folder" + }, { "description": "Detects wmiprvse spawning processes", "meta": { @@ -64653,40 +64742,6 @@ "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "value": "Suspicious Regsvr32 Execution From Remote Share" }, - { - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/07/27", - "falsepositive": [ - "Other programs that cause these patterns (please report)" - ], - "filename": "proc_creation_win_cobaltstrike_process_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f35c5d71-b489-4e22-a115-f003df287317", - "value": "CobaltStrike Process Patterns" - }, { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { @@ -64700,8 +64755,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -64790,6 +64845,37 @@ "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", "value": "PUA - NPS Tunneling Tool Execution" }, + { + "description": "Detects a Windows command line executable started from MMC", + "meta": { + "author": "Karneades, Swisscom CSIRT", + "creation_date": "2019/08/05", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mmc_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "value": "MMC Spawning Windows Shell" + }, { "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "meta": { @@ -64826,10 +64912,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -64898,9 +64984,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -64934,8 +65020,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -64955,6 +65041,72 @@ "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", "value": "Potential Process Injection Via Msra.EXE" }, + { + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_winrm_awl_bypass.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" + }, + { + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_splwow64_cli_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "value": "Suspicious Splwow64 Without Params" + }, { "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", "meta": { @@ -65035,8 +65187,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" @@ -65104,9 +65256,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], "tags": [ @@ -65127,27 +65279,72 @@ "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" }, { - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/19", + "author": "behops, Bhabesh Raj", + "creation_date": "2021/10/08", "falsepositive": [ - "Unknown" + "Legitimate use by administrator" ], - "filename": "proc_creation_win_susp_rurat_exec_location.yml", + "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", + "value": "VMToolsd Suspicious Child Process" + }, + { + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_win_reg_software_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ - "attack.defense_evasion" + "attack.discovery", + "attack.t1518" ] }, - "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", - "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location" + "related": [ + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "value": "Detected Windows Software Discovery" }, { "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", @@ -65162,8 +65359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml" ], "tags": [ @@ -65184,21 +65381,71 @@ "value": "Share And Session Enumeration Using Net.EXE" }, { - "description": "Detects a specific tool and export used by EquationGroup", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "meta": { + "author": "Florian Roth (Nextron Systems), Tim Shelton", + "creation_date": "2018/04/06", + "falsepositive": [ + "Administrative scripts", + "Microsoft SCCM" + ], + "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "value": "Windows Shell/Scripting Processes Spawning Suspicious Programs" + }, + { + "description": "Detects a specific export function name used by one of EquationGroup tools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/03/04", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://twitter.com/cyb3rops/status/972186477512839170", - "https://securelist.com/apt-slingshot/84312/", + "https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -65217,7 +65464,7 @@ } ], "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "value": "Equation Group DLL_U Load" + "value": "Equation Group DLL_U Export Function Load" }, { "description": "Detects inline execution of PowerShell code from a file", @@ -65240,62 +65487,6 @@ "uuid": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "value": "Powershell Inline Execution From A File" }, - { - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_set_unsecure_powershell_policy.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", - "value": "Potential PowerShell Execution Policy Tampering - ProcCreation" - }, - { - "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/01", - "falsepositive": [ - "Some FP is expected with some installers" - ], - "filename": "proc_creation_win_susp_clsid_foldername.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Kostastsale/status/1565257924204986369", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "value": "Suspicious CLSID Folder Name In Suspicious Locations" - }, { "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", "meta": { @@ -65343,10 +65534,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -65379,10 +65570,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -65471,6 +65662,81 @@ "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "value": "Suspicious Command With Teams Objects Paths" }, + { + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/28", + "falsepositive": [ + "Legitimate piping of the password to anydesk", + "Some FP could occur with similar tools that uses the same command line '--set-password'" + ], + "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "value": "Remote Access Tool - AnyDesk Piped Password Via CLI" + }, + { + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "value": "VolumeShadowCopy Symlink Creation Via Mklink" + }, { "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", "meta": { @@ -65497,40 +65763,40 @@ "value": "Suspicious LOLBIN AccCheckConsole" }, { - "description": "Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.\nLdifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.\n", + "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", "meta": { "author": "@gott_cyber", "creation_date": "2022/09/02", "falsepositive": [ - "Unknown" + "Since the content of the files are unknown, false positives are expected" ], "filename": "proc_creation_win_ldifde_file_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", - "attack.t1218" + "attack.t1218", + "attack.t1105" ] }, "related": [ { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -65538,7 +65804,7 @@ } ], "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", - "value": "Suspicious Ldifde Command Usage" + "value": "Import LDAP Data Interchange Format File Via Ldifde.EXE" }, { "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", @@ -65553,17 +65819,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -65615,8 +65881,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://github.com/Neo23x0/DLLRunner", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], @@ -65638,55 +65904,37 @@ "value": "Suspicious Call by Ordinal" }, { - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "description": "Detects the execution of CSharp interactive console by PowerShell", "meta": { - "author": "Florian Roth (Nextron Systems), Tim Shelton", - "creation_date": "2018/04/06", + "author": "Michael R. (@nahamike01)", + "creation_date": "2020/03/08", "falsepositive": [ - "Administrative scripts", - "Microsoft SCCM" + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], - "filename": "proc_creation_win_shell_spawn_susp_program.yml", + "filename": "proc_creation_win_csi_use_of_csharp_console.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml" + "https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml" ], "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "attack.t1127" ] }, "related": [ { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "value": "Windows Shell/Scripting Processes Spawning Suspicious Programs" + "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "value": "Suspicious Use of CSharp Interactive Console" }, { "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", @@ -65723,43 +65971,7 @@ "value": "PUA - Wsudo Suspicious Execution" }, { - "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2020/10/13", - "falsepositive": [ - "System administrator Usage" - ], - "filename": "proc_creation_win_accesschk_usage_after_priv_escalation.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "related": [ - { - "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", - "value": "Permission Check Via Accesschk.EXE" - }, - { - "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", + "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", "meta": { "author": "frack113", "creation_date": "2021/11/29", @@ -65839,11 +66051,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], "tags": [ @@ -65954,37 +66166,46 @@ "value": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "description": "Detects a ping command that uses a hex encoded IP address", "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/03/23", "falsepositive": [ - "Unknown" + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], - "filename": "proc_creation_win_remote_desktop_tunneling.yml", - "level": "medium", + "filename": "proc_creation_win_ping_hex_ip.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_desktop_tunneling.yml" + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" ] }, "related": [ { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", - "value": "Potential Remote Desktop Tunneling" + "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "value": "Ping Hex IP" }, { "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", @@ -66062,39 +66283,6 @@ "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", "value": "Exploiting CVE-2019-1388" }, - { - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", - "value": "Always Install Elevated MSI Spawned Cmd And Powershell" - }, { "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "meta": { @@ -66109,11 +66297,11 @@ "logsource.product": "windows", "refs": [ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://github.com/ohpe/juicy-potato", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://www.localpotato.com/", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://www.localpotato.com/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -66133,6 +66321,80 @@ "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", "value": "Potential SMB Relay Attack Tool Execution" }, + { + "description": "Detects suspicious inline VBScript keywords as used by UNC2452", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_vbscript_pattern.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "related": [ + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "value": "Suspicious VBScript UN2452 Pattern" + }, + { + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ef61af62-bc74-4f58-b49b-626448227652", + "value": "Suspicious Active Directory Database Snapshot Via ADExplorer" + }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", "meta": { @@ -66179,11 +66441,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -66218,8 +66480,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://twitter.com/killamjr/status/1179034907932315648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -66295,8 +66557,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -66340,6 +66602,29 @@ "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "value": "Renamed ZOHO Dctask64 Execution" }, + { + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "37e8d358-6408-4853-82f4-98333fca7014", + "value": "Remote Access Tool - NetSupport Execution From Unusual Location" + }, { "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "meta": { @@ -66351,8 +66636,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_adwind.yml" ], "tags": [ @@ -66393,11 +66678,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1326228491302563846", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -66435,41 +66720,6 @@ "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "value": "MSHTA Suspicious Execution 01" }, - { - "description": "Detects active directory enumeration activity using known AdFind CLI flags", - "meta": { - "author": "frack113", - "creation_date": "2021/12/13", - "falsepositive": [ - "Authorized administrative activity" - ], - "filename": "proc_creation_win_adfind_enumeration.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adfind_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ] - }, - "related": [ - { - "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "value": "Suspicious ActiveDirectory Enumeration Via AdFind.EXE" - }, { "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", "meta": { @@ -66528,6 +66778,39 @@ "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "value": "Suspicious Parent of Csc.exe" }, + { + "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2023/03/05", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "filename": "proc_creation_win_certutil_certificate_installation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", + "value": "New Root Certificate Installed Via Certutil.EXE" + }, { "description": "Detect use of X509Enrollment", "meta": { @@ -66542,8 +66825,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": "No established tags" @@ -66551,47 +66834,6 @@ "uuid": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "value": "Suspicious X509Enrollment - Process Creation" }, - { - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate administrator working with shadow copies, access for backup purposes" - ], - "filename": "proc_creation_win_shadow_copies_access_symlink.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" - ] - }, - "related": [ - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "value": "Shadow Copies Access via Symlink" - }, { "description": "Detects the execution of a renamed \"Msdt.exe\" binary", "meta": { @@ -66659,6 +66901,41 @@ "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "value": "HackTool - WinRM Access Via Evil-WinRM" }, + { + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "filename": "proc_creation_win_wpbbin_potential_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ] + }, + "related": [ + { + "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", + "value": "UEFI Persistence Via Wpbbin - ProcessCreation" + }, { "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", "meta": { @@ -66726,6 +67003,30 @@ "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", "value": "UtilityFunctions.ps1 Proxy Dll" }, + { + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "meta": { + "author": "frack113", + "creation_date": "2022/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powercfg_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" + }, { "description": "Identifies the creation of local users via the net.exe command.", "meta": { @@ -66762,80 +67063,39 @@ "value": "New User Created Via Net.EXE" }, { - "description": "Detects a suspicious RDP session redirect using tscon.exe", + "description": "This rule detects the execution of Run Once task as configured in the registry", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/03/17", + "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", + "creation_date": "2020/10/18", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_tscon_rdp_redirect.yml", - "level": "high", + "filename": "proc_creation_win_runonce_execution.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1112" ] }, "related": [ { - "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", - "value": "Suspicious RDP Redirect Using TSCON" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/25", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_netsupport.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsupport.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", - "value": "Use of NetSupport Remote Access Software" + "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "value": "Run Once Task Execution as Configured in Registry" }, { "description": "Commandline to launch powershell with a base64 payload", @@ -66850,8 +67110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], @@ -66951,8 +67211,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], @@ -66973,40 +67233,6 @@ "uuid": "ea011323-7045-460b-b2d7-0f7442ea6b38", "value": "Potential PsExec Remote Execution" }, - { - "description": "Detects Hurricane Panda Activity", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_hurricane_panda.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.g0009", - "attack.t1068" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", - "value": "Hurricane Panda Activity" - }, { "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", "meta": { @@ -67020,8 +67246,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ @@ -67063,10 +67289,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml" ], "tags": [ @@ -67086,40 +67312,6 @@ "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "value": "Suspicious Csc.exe Source File Folder" }, - { - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "meta": { - "author": "@pbssubhash , Nasreddine Bencherchali", - "creation_date": "2022/12/08", - "falsepositive": [ - "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." - ], - "filename": "proc_creation_win_lsass_shtinkering.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", - "value": "Potential Credential Dumping Via WER" - }, { "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", "meta": { @@ -67162,74 +67354,6 @@ "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", "value": "Renamed FTP.EXE Execution" }, - { - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "meta": { - "author": "Aedan Russell, frack113 (sigma)", - "creation_date": "2022/06/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_chrome_load_extension.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/chromeloader/", - "https://emkc.org/s/RJjuLa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1176" - ] - }, - "related": [ - { - "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "value": "Powershell ChromeLoader Browser Hijacker" - }, - { - "description": "Detects command line parameters or strings often used by crypto miners", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/10/26", - "falsepositive": [ - "Legitimate use of crypto miners", - "Some build frameworks" - ], - "filename": "proc_creation_win_crypto_mining_monero.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496" - ] - }, - "related": [ - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "value": "Potential Crypto Mining Activity" - }, { "description": "Detects Base64 encoded Shellcode", "meta": { @@ -67457,6 +67581,40 @@ "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "value": "Findstr Launching .lnk File" }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "meta": { + "author": "frack113", + "creation_date": "2021/08/19", + "falsepositive": [ + "GPO" + ], + "filename": "proc_creation_win_reg_screensaver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.002" + ] + }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", + "value": "Suspicious ScreenSave Change by Reg.exe" + }, { "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "meta": { @@ -67531,83 +67689,6 @@ "uuid": "36210e0d-5b19-485d-a087-c096088885f0", "value": "Suspicious PowerShell Parameter Substring" }, - { - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" - ], - "filename": "proc_creation_win_susp_pester_parent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", - "https://twitter.com/Oddvarmoe/status/993383596244258816", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", - "value": "Execute Code with Pester.bat as Parent" - }, - { - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "meta": { - "author": "frack113", - "creation_date": "2021/08/19", - "falsepositive": [ - "GPO" - ], - "filename": "proc_creation_win_susp_screensaver_reg.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" - ] - }, - "related": [ - { - "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", - "value": "Suspicious ScreenSave Change by Reg.exe" - }, { "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", "meta": { @@ -67621,8 +67702,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -67642,40 +67723,6 @@ "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "value": "Boot Configuration Tampering Via Bcdedit.EXE" }, - { - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/28", - "falsepositive": [ - "Legitimate piping of the password to anydesk", - "Some FP could occur with similar tools that uses the same command line '--set-password'" - ], - "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", - "value": "AnyDesk Piped Password Via CLI" - }, { "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", "meta": { @@ -67776,6 +67823,48 @@ "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", "value": "Suspicious Minimized MSEdge Start" }, + { + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "meta": { + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "creation_date": "2021/07/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_spoolsv_susp_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "value": "Suspicious Spool Service Child Process" + }, { "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", "meta": { @@ -67789,8 +67878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -67820,72 +67909,71 @@ "value": "HackTool - CrackMapExec PowerShell Obfuscation" }, { - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/01/28", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/31", "falsepositive": [ - "Unknown yet" + "Rare legitimate inline scripting by some administrators" ], - "filename": "proc_creation_win_susp_dctask64_proc_inject.yml", + "filename": "proc_creation_win_script_wscript_shell_cli.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" + "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_wscript_shell_cli.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1055.001" + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6345b048-8441-43a7-9bed-541133633d7a", - "value": "ZOHO Dctask64 Process Injection" + "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", + "value": "Wscript Shell Run In CommandLine" }, { - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/06", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "creation_date": "2022/08/25", "falsepositive": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + "Unlikely" ], - "filename": "proc_creation_win_susp_gup.yml", - "level": "high", + "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml" + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1574.002" + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", - "value": "Suspicious GUP Usage" + "uuid": "42333b2c-b425-441c-b70e-99404a17170f", + "value": "HackTool - Sliver C2 Implant Activity Pattern" }, { "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", @@ -67900,10 +67988,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -67970,8 +68058,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": "No established tags" @@ -68012,6 +68100,42 @@ "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "value": "HackTool - Impacket Tools Execution" }, + { + "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/09/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_apt27_emissary_panda.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1168863899531132929", + "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt27_emissary_panda.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0027" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "value": "APT27 - Emissary Panda Activity" + }, { "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", "meta": { @@ -68036,40 +68160,6 @@ "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", "value": "Rundll32 With Suspicious Parent Process" }, - { - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "meta": { - "author": "behops, Bhabesh Raj", - "creation_date": "2021/10/08", - "falsepositive": [ - "Legitimate use by administrator" - ], - "filename": "proc_creation_win_vmtoolsd_susp_child_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", - "value": "VMToolsd Suspicious Child Process" - }, { "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", "meta": { @@ -68112,41 +68202,6 @@ "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" }, - { - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "meta": { - "author": "frack113, Tim Shelton (update fp)", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "178e615d-e666-498b-9630-9ed363038101", - "value": "Suspicious Elevated System Shell" - }, { "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", "meta": { @@ -68190,6 +68245,42 @@ "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", "value": "Suspicious Remote Child Process From Outlook" }, + { + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "creation_date": "2023/03/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "cve.2023.23397" + ] + }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", + "value": "Suspicious WebDav Client Execution" + }, { "description": "Detects command line patterns used by BlackByte ransomware in different operations", "meta": { @@ -68224,8 +68315,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021415852335105", "https://twitter.com/nas_bench/status/1618021838407495681", + "https://twitter.com/nas_bench/status/1618021415852335105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -68254,6 +68345,73 @@ "uuid": "5a3164f2-b373-4152-93cf-090b13c12d27", "value": "VsCode Child Process Anomaly" }, + { + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/12", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_add_user_local_admin_group.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", + "value": "Add User to Local Administrators Group" + }, + { + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_scrcons_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", + "value": "Script Event Consumer Spawning Process" + }, { "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", "meta": { @@ -68267,8 +68425,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -68301,8 +68459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], @@ -68332,6 +68490,74 @@ "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", "value": "Bypass UAC via CMSTP" }, + { + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_rpcping_credential_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vysecurity/status/873181705024266241", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", + "value": "Capture Credentials with Rpcping.exe" + }, + { + "description": "Detects the creation of a process from Windows task manager", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/03/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_taskmgr_susp_child_process.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "value": "Taskmgr as Parent" + }, { "description": "Detects the use of Advanced Port Scanner.", "meta": { @@ -68387,9 +68613,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -68442,32 +68668,6 @@ "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "value": "PUA - DefenderCheck Execution" }, - { - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/12/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shell_spawn_by_java_keytool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", - "https://redcanary.com/blog/intelligence-insights-december-2021", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", - "value": "Suspicious Shells Spawn by Java Utility Keytool" - }, { "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "meta": { @@ -68482,8 +68682,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -68535,39 +68735,6 @@ "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "value": "HackTool - SharpView Execution" }, - { - "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", - "meta": { - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", - "creation_date": "2020/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_lazarus_session_highjack.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "related": [ - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", - "value": "Lazarus Session Highjacker" - }, { "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "meta": { @@ -68581,9 +68748,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/hfiref0x/UACME", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -68617,8 +68784,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" ], "tags": [ @@ -68760,8 +68927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], @@ -68837,9 +69004,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://www.revshells.com/", "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -68872,11 +69039,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/egre55/status/1087685529016193025", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -68896,6 +69063,40 @@ "uuid": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "value": "Suspicious Download Via Certutil.EXE" }, + { + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_systeminfo_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "value": "Suspicious Execution of Systeminfo" + }, { "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", "meta": { @@ -68930,6 +69131,50 @@ "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", "value": "Domain Trust Discovery Via Dsquery" }, + { + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "meta": { + "author": "frack113", + "creation_date": "2022/03/12", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_susp_network_scan_loop.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.htmll", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.discovery", + "attack.t1018" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "value": "Suspicious Scan Loop Network" + }, { "description": "Detects execution of javascript code using \"mshta.exe\".", "meta": { @@ -68943,8 +69188,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -68977,8 +69222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -69065,46 +69310,6 @@ "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", "value": "Curl.EXE Execution" }, - { - "description": "Detects suspicious file execution by wscript and cscript", - "meta": { - "author": "Michael Haag", - "creation_date": "2019/01/16", - "falsepositive": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." - ], - "filename": "proc_creation_win_susp_script_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "related": [ - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", - "value": "WSF/JSE/JS/VBA/VBE File Execution" - }, { "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "meta": { @@ -69139,46 +69344,28 @@ "value": "Delete Important Scheduled Task" }, { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/13", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/08/03", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_invoke_obfuscation_via_var.yml", - "level": "high", + "filename": "proc_creation_win_susp_obfuscated_ip_download.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.discovery" ] }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" + "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", + "value": "Obfuscated IP Download" }, { "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", @@ -69215,41 +69402,7 @@ "value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, { - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/02/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" - ], - "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "value": "Sticky-Key Backdoor Copy Cmd.exe" - }, - { - "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", + "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/07/10", @@ -69261,8 +69414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -69280,7 +69433,7 @@ } ], "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", - "value": "EvilNum Golden Chickens Deployment via OCX Files" + "value": "EvilNum APT Golden Chickens Deployment Via OCX Files" }, { "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", @@ -69318,8 +69471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -69340,37 +69493,37 @@ "value": "Suspicious Process Created Via Wmic.EXE" }, { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", "meta": { - "author": "frack113", - "creation_date": "2021/07/20", + "author": "Florian Roth (Nextron Systems), Tim Shelton", + "creation_date": "2019/10/02", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_susp_zip_compress.yml", - "level": "medium", + "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" + "https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_aptc12_bluemushroom.yml" ], "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.defense_evasion", + "attack.t1218.010" ] }, "related": [ { - "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", - "value": "Zip A Folder With PowerShell For Staging In Temp" + "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", + "value": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" }, { "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", @@ -69387,10 +69540,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], @@ -69420,117 +69573,6 @@ "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clear or Configuration Change" }, - { - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "meta": { - "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2018/03/15", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_stickykey_like_backdoor.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" - ] - }, - "related": [ - { - "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "value": "Sticky Key Like Backdoor Usage" - }, - { - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", - "meta": { - "author": "Sreeman", - "creation_date": "2021/06/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_write_protect_for_storage_disabled.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "related": [ - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", - "value": "Write Protect For Storage Disabled" - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "meta": { - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "creation_date": "2019/10/26", - "falsepositive": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" - ], - "filename": "proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ] - }, - "related": [ - { - "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "15619216-e993-4721-b590-4c520615a67d", - "value": "Potential Meterpreter/CobaltStrike Activity" - }, { "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "meta": { @@ -69631,38 +69673,6 @@ "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "value": "Tamper Windows Defender Remove-MpPreference" }, - { - "description": "Detects a windows service to be stopped", - "meta": { - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/10/23", - "falsepositive": [ - "Administrator shutting down the service due to upgrade or removal purposes" - ], - "filename": "proc_creation_win_service_stop.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_stop.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", - "value": "Stop Windows Service" - }, { "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "meta": { @@ -69703,6 +69713,87 @@ "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "value": "Renamed BrowserCore.EXE Execution" }, + { + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "meta": { + "author": "Markus Neis, @Karneades", + "creation_date": "2018/03/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", + "value": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" + }, + { + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "meta": { + "author": "frack113", + "creation_date": "2022/02/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browsers_tor_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ] + }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "value": "Tor Client/Browser Execution" + }, { "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", "meta": { @@ -69854,6 +69945,40 @@ "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "value": "UAC Bypass Abusing Winsat Path Parsing - Process" }, + { + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "meta": { + "author": "frack113", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_shutdown_logoff.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "value": "Suspicious Execution of Shutdown to Log Out" + }, { "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "meta": { @@ -69921,7 +70046,7 @@ "value": "Launch-VsDevShell.PS1 Proxy Execution" }, { - "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019/10/24", @@ -69933,8 +70058,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -69987,40 +70112,6 @@ "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" }, - { - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "System administrator usage", - "Anti virus products" - ], - "filename": "proc_creation_win_always_install_elevated_windows_installer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", - "value": "Always Install Elevated Windows Installer" - }, { "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "meta": { @@ -70034,11 +70125,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -70081,9 +70172,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], @@ -70112,40 +70203,6 @@ "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", "value": "Sdiagnhost Calling Suspicious Child Process" }, - { - "description": "Detect attacker collecting audio via SoundRecorder application.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate audio capture by legitimate user." - ], - "filename": "proc_creation_win_soundrec_audio_capture.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ] - }, - "related": [ - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", - "value": "Audio Capture via SoundRecorder" - }, { "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", "meta": { @@ -70167,104 +70224,6 @@ "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "value": "Rundll32 Execution Without DLL File" }, - { - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_instalutil.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", - "value": "Suspicious Execution of InstallUtil Without Log" - }, - { - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/09", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "filename": "proc_creation_win_user_discovery_get_aduser.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "related": [ - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", - "value": "User Discovery And Export Via Get-ADUser Cmdlet" - }, - { - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "meta": { - "author": "FPT.EagleEye Team, wagga", - "creation_date": "2020/12/11", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_shell_spawn_from_mssql.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml" - ], - "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "related": [ - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", - "value": "Suspicious Shells Spawn by SQL Server" - }, { "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", "meta": { @@ -70278,9 +70237,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -70300,6 +70259,40 @@ "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "value": "Microsoft IIS Service Account Password Dumped" }, + { + "description": "Detects a Windows program executable started from a suspicious folder", + "meta": { + "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "creation_date": "2017/11/27", + "falsepositive": [ + "Exotic software" + ], + "filename": "proc_creation_win_susp_system_exe_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://asec.ahnlab.com/en/39828/", + "https://twitter.com/GelosSnake/status/934900723426439170", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "value": "System File Execution Location Anomaly" + }, { "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", "meta": { @@ -70402,39 +70395,37 @@ "value": "Service Reconnaissance Via Wmic.EXE" }, { - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/14", + "creation_date": "2023/03/09", "falsepositive": [ - "Unlikely" + "Legitimate administrators might use this command to update Sysmon configuration." ], - "filename": "proc_creation_win_susp_new_service_creation.yml", - "level": "high", + "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml" ], "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", - "value": "Suspicious New Service Creation" + "uuid": "87911521-7098-470b-a459-9a57fc80bdfd", + "value": "Sysmon Configuration Update" }, { "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", @@ -70502,6 +70493,41 @@ "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", "value": "Script Interpreter Execution From Suspicious Folder" }, + { + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/994405551751815170", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", + "value": "Remote Code Execute via Winrm.vbs" + }, { "description": "Detects email exfiltration via powershell cmdlets", "meta": { @@ -70515,8 +70541,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -70604,78 +70630,36 @@ "value": "Conti NTDS Exfiltration Command" }, { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", + "author": "Max Altgelt (Nextron Systems)", + "creation_date": "2022/08/23", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_invoke_obfuscation_var.yml", - "level": "high", + "filename": "proc_creation_win_susp_sysnative.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1055" ] }, "related": [ { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", - "value": "Invoke-Obfuscation VAR+ Launcher" - }, - { - "description": "Detects a suspicious svchost process start", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_svchost.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "related": [ - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", - "value": "Suspicious Svchost Process" + "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "value": "Process Creation Using Sysnative Folder" }, { "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", @@ -70690,8 +70674,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -70766,8 +70750,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -70854,48 +70838,6 @@ "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "value": "HackTool - SysmonEOP Execution" }, - { - "description": "Detects code execution via the Windows Update client (wuauclt)", - "meta": { - "author": "FPT.EagleEye Team", - "creation_date": "2020/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_wuauclt.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", - "value": "Windows Update Client LOLBIN" - }, { "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", "meta": { @@ -70943,9 +70885,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], @@ -70970,8 +70912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -70991,27 +70933,6 @@ "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", "value": "Imports Registry Key From a File" }, - { - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_public_folder_parent.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" - ], - "tags": "No established tags" - }, - "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "value": "Parent in Public Folder Suspicious Process" - }, { "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "meta": { @@ -71045,6 +70966,41 @@ "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", "value": "Potential AMSI Bypass Using NULL Bits - ProcessCreation" }, + { + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/03/11", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "filename": "proc_creation_win_schtasks_creation_temp_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "value": "Suspicious Scheduled Task Creation Involving Temp Folder" + }, { "description": "Detects dump of credentials in VeeamBackup dbo", "meta": { @@ -71079,40 +71035,6 @@ "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", "value": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" }, - { - "description": "The OpenWith.exe executes other binary", - "meta": { - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", - "creation_date": "2019/10/12", - "falsepositive": [ - "Legitimate use of OpenWith.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_openwith.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", - "https://twitter.com/harr0ey/status/991670870384021504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "value": "OpenWith.exe Executes Specified Binary" - }, { "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "meta": { @@ -71126,9 +71048,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/winsiderss/systeminformer", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": "No established tags" @@ -71149,9 +71071,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -71249,95 +71171,37 @@ "value": "Writing Of Malicious Files To The Fonts Folder" }, { - "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/27", + "creation_date": "2022/12/23", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_copy_dmp_from_share.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml" - ], - "tags": [ - "attack.credential_access" - ] - }, - "uuid": "044ba588-dff4-4918-9808-3f95e8160606", - "value": "Copy DMP Files From Share" - }, - { - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_splwow64.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "value": "Suspicious Splwow64 Without Params" - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/05", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." - ], - "filename": "proc_creation_win_ntfs_short_name_use_cli.yml", + "filename": "proc_creation_win_susp_copy_browser_data.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1564.004" + "attack.credential_access", + "attack.t1555.003" ] }, "related": [ { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", - "value": "Use NTFS Short Name in Command Line" + "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", + "value": "Potential Browser Data Stealing" }, { "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", @@ -71362,50 +71226,6 @@ "uuid": "0afbd410-de03-4078-8491-f132303cb67d", "value": "Renamed NetSupport RAT Execution" }, - { - "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_judgement_panda_gtr19.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.g0010", - "attack.credential_access", - "attack.t1003.001", - "attack.exfiltration", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "value": "Judgement Panda Exfil Activity" - }, { "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", "meta": { @@ -71486,8 +71306,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -71508,12 +71328,12 @@ "value": "Suspicious Outlook Child Process" }, { - "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", + "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020/05/20", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_win_apt_greenbug_may20.yml", "level": "critical", @@ -71557,91 +71377,24 @@ } ], "uuid": "3711eee4-a808-4849-8a14-faf733da3612", - "value": "Greenbug Campaign Indicators" + "value": "Greenbug Espionage Group Indicators" }, { - "description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/15", - "falsepositive": [ - "Legitimate scripts" - ], - "filename": "proc_creation_win_cmd_delete.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "related": [ - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", - "value": "Windows Cmd Delete File" - }, - { - "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", - "meta": { - "author": "frack113", - "creation_date": "2021/07/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_service_modification.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", - "value": "Stop Or Remove Antivirus Service" - }, - { - "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", "meta": { "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021/08/09", "falsepositive": [ - "Some rare backup scenarios" + "Backup scenarios using the commandline" ], "filename": "proc_creation_win_cmd_shadowcopy_access.yml", - "level": "medium", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -71659,7 +71412,7 @@ } ], "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "value": "Copy from Volume Shadow Copy" + "value": "Copy From VolumeShadowCopy Via Cmd.EXE" }, { "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", @@ -71675,8 +71428,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -71743,8 +71496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -71777,8 +71530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -71842,104 +71595,31 @@ "value": "Potential PowerShell Obfuscation Via WCHAR" }, { - "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/01", + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", "falsepositive": [ - "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" + "Unknown" ], - "filename": "proc_creation_win_sc_delete_av_services.yml", + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml" + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" ], "tags": [ - "attack.execution", "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", - "value": "Suspicious Execution of Sc to Delete AV Services" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/11", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_anydesk_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_execution.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", - "value": "AnyDesk Execution" - }, - { - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "meta": { - "author": "Markus Neis, @Karneades", - "creation_date": "2018/03/06", - "falsepositive": [ - "False positives are possible, depends on organisation and processes" - ], - "filename": "proc_creation_win_powersploit_empire_schtasks.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" - ], - "tags": [ + "attack.t1027", "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", "attack.t1059.001" ] }, "related": [ { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -71953,41 +71633,43 @@ "type": "related-to" } ], - "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", - "value": "Default PowerSploit and Empire Schtasks Persistence" + "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", + "value": "Invoke-Obfuscation Via Use MSHTA" }, { - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/31", + "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", + "creation_date": "2022/05/04", "falsepositive": [ - "Rare legitimate inline scripting by some administrators" + "Unknown" ], - "filename": "proc_creation_win_wscript_shell_cli.yml", + "filename": "proc_creation_win_rundll32_ntlmrelay.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml" + "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ - "attack.execution", - "attack.t1059" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" ] }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", - "value": "Wscript Shell Run In CommandLine" + "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", + "value": "Suspicious NTLM Authentication on the Printer Spooler Service" }, { "description": "Detects the Installation of a Exchange Transport Agent", @@ -72055,40 +71737,6 @@ "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "value": "Potential Data Exfiltration Activity Via CommandLine Tools" }, - { - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/23", - "falsepositive": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" - ], - "filename": "proc_creation_win_susp_explorer_nouaccheck.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ORCA6665/status/1496478087244095491", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "value": "Explorer NOUACCHECK Flag" - }, { "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", "meta": { @@ -72254,11 +71902,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -72278,67 +71926,6 @@ "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_chafer_mar18.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "value": "Chafer Activity" - }, { "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", "meta": { @@ -72372,39 +71959,6 @@ "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "value": "Gpg4Win Decrypt Files From Suspicious Locations" }, - { - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_unusual_child_process_of_dns_exe.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ] - }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "value": "Unusual Child Process of dns.exe" - }, { "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", "meta": { @@ -72447,6 +72001,43 @@ "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", "value": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" }, + { + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2022/09/01", + "falsepositive": [ + "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" + ], + "filename": "proc_creation_win_susp_service_tamper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "value": "Suspicious Windows Service Tampering" + }, { "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", "meta": { @@ -72460,9 +72051,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://abuse.io/lockergoga.txt", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://abuse.io/lockergoga.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -72491,6 +72082,84 @@ "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "value": "Disable of ETW Trace" }, + { + "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gallium_iocs.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_iocs.yml" + ], + "tags": [ + "attack.credential_access", + "attack.command_and_control", + "attack.t1212", + "attack.t1071", + "attack.g0093" + ] + }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", + "value": "GALLIUM IOCs" + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners", + "Some build frameworks" + ], + "filename": "proc_creation_win_susp_crypto_mining_monero.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "value": "Potential Crypto Mining Activity" + }, { "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", "meta": { @@ -72525,41 +72194,6 @@ "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "value": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, - { - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_psr_capture_screenshots.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "related": [ - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", - "value": "Psr.exe Capture Screenshots" - }, { "description": "Detects the execution of the PurpleSharp adversary simulation tool", "meta": { @@ -72594,27 +72228,29 @@ "value": "HackTool - PurpleSharp Execution" }, { - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/06", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_dumpstack_log_evasion.yml", - "level": "critical", + "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1479094189048713219", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml" + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ "attack.defense_evasion" ] }, - "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "value": "DumpStack.log Defender Evasion" + "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", + "value": "Suspicious Usage Of ShellExec_RunDLL" }, { "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", @@ -72700,9 +72336,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_darkside_ransomware.yml" ], "tags": [ @@ -72723,39 +72359,78 @@ "value": "DarkSide Ransomware Pattern" }, { - "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", "meta": { - "author": "Markus Neis, Swisscom", - "creation_date": "2020/06/18", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/14", "falsepositive": [ - "Will need to be looked for combinations of those processes" + "Unknown" ], - "filename": "proc_creation_win_apt_ke3chang_regadd.yml", - "level": "critical", + "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" + "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml" ], "tags": [ - "attack.g0004", - "attack.defense_evasion", - "attack.t1562.001" + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" ] }, "related": [ { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", - "value": "Ke3chang Registry Key Modifications" + "uuid": "9212f354-7775-4e28-9c9f-8f0a4544e664", + "value": "Active Directory Database Snapshot Via ADExplorer" + }, + { + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "meta": { + "author": "Hieu Tran", + "creation_date": "2023/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", + "value": "Suspicious Rundll32 Execution With Image Extension" }, { "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", @@ -72792,6 +72467,39 @@ "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", "value": "Potential UAC Bypass Via Sdclt.EXE" }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Legitimate activity is expected since compressing files with a password is common." + ], + "filename": "proc_creation_win_7zip_password_compression.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", + "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" + }, { "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", "meta": { @@ -72805,8 +72513,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -72827,6 +72535,29 @@ "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", "value": "New Network Trace Capture Started Via Netsh.EXE" }, + { + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wermgr_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" + ], + "tags": "No established tags" + }, + "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "value": "Suspicious WERMGR Process Patterns" + }, { "description": "Detects Archer malware invocation via rundll32", "meta": { @@ -72840,8 +72571,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml" ], "tags": [ @@ -72862,49 +72593,6 @@ "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "value": "Fireball Archer Install" }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "meta": { - "author": "Tim Burrell", - "creation_date": "2020/02/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_gallium_sha1.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212", - "attack.command_and_control", - "attack.t1071" - ] - }, - "related": [ - { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", - "value": "GALLIUM Sha1 Artefacts" - }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { @@ -72940,8 +72628,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], @@ -72953,116 +72641,89 @@ "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, { - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/05/22", + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_termserv_proc_spawn.yml", + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml" + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ] }, "related": [ { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", - "value": "Terminal Service Process Spawn" + "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "value": "Invoke-Obfuscation Via Use Clip" }, { - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/06/07", + "author": "Agro (@agro_sev) oscd.communitly", + "creation_date": "2020/10/13", "falsepositive": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." ], - "filename": "proc_creation_win_archiver_iso_phishing.yml", - "level": "high", + "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566" - ] - }, - "related": [ - { - "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", - "value": "Phishing Pattern ISO in Archive" - }, - { - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "meta": { - "author": "_pete_0, TheDFIRReport", - "creation_date": "2022/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cobaltstrike_bloopers_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" ] }, "related": [ { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "value": "Operator Bloopers Cobalt Strike Commands" + "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "value": "SQL Client Tools PowerShell Session Detection" }, { "description": "Detect filter driver unloading activity via fltmc.exe", @@ -73146,6 +72807,40 @@ "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", "value": "PowerShell Base64 Encoded IEX Keyword" }, + { + "description": "Detect attacker collecting audio via SoundRecorder application.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "filename": "proc_creation_win_soundrecorder_audio_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", + "value": "Audio Capture via SoundRecorder" + }, { "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", "meta": { @@ -73159,10 +72854,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], "tags": [ @@ -73183,22 +72878,20 @@ "value": "Formbook Process Creation" }, { - "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/03/17", + "author": "frack113", + "creation_date": "2022/09/25", "falsepositive": [ - "Unknown" + "Legitimate use" ], - "filename": "proc_creation_win_susp_tscon_localsystem.yml", - "level": "high", + "filename": "proc_creation_win_remote_access_tools_netsupport.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml" ], "tags": [ "attack.command_and_control", @@ -73214,8 +72907,8 @@ "type": "related-to" } ], - "uuid": "9847f263-4a81-424f-970c-875dab15b79b", - "value": "Suspicious TSCON Start as SYSTEM" + "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "value": "Remote Access Tool - NetSupport Execution" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", @@ -73230,21 +72923,21 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/calebstewart/CVE-2021-1675", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/calebstewart/CVE-2021-1675", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -73389,6 +73082,49 @@ "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "value": "Suspicious Msiexec Quiet Install" }, + { + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2018/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tscon_rdp_redirect.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "value": "Suspicious RDP Redirect Using TSCON" + }, { "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", "meta": { @@ -73422,6 +73158,74 @@ "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "value": "PUA - Adidnsdump Execution" }, + { + "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_stdin_redirect.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "241e802a-b65e-484f-88cd-c2dc10f9206d", + "value": "Read Contents From Stdin Via Cmd.EXE" + }, + { + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/25", + "falsepositive": [ + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + ], + "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "value": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly" + }, { "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "meta": { @@ -73435,8 +73239,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -73458,46 +73262,46 @@ "value": "Renamed Whoami Execution" }, { - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "description": "Detects a set of suspicious network related commands often used in recon stages", "meta": { - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", - "creation_date": "2021/07/11", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/07", "falsepositive": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_susp_spoolsv_child_processes.yml", + "filename": "proc_creation_win_nslookup_domain_discovery.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml" + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml" ], "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" ] }, "related": [ { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "value": "Suspicious Spool Service Child Process" + "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", + "value": "Network Reconnaissance Activity" }, { "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", @@ -73623,6 +73427,96 @@ "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "value": "HackTool - SharpUp PrivEsc Tool Execution" }, + { + "description": "Detects a suspicious svchost process start", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_svchost_susp_parent_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_susp_parent_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "value": "Suspicious Svchost Process" + }, + { + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "044ba588-dff4-4918-9808-3f95e8160606", + "value": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" + }, + { + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_psr_capture_screenshots.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", + "value": "Psr.exe Capture Screenshots" + }, { "description": "Detects execution of renamed version of PAExec. Often used by attackers", "meta": { @@ -73672,8 +73566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -73760,40 +73654,6 @@ "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "value": "Ilasm Lolbin Use Compile C-Sharp" }, - { - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "meta": { - "author": "Christian Burkard (Nextron Systems)", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_target_location_shell32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.group-ib.com/resources/threat-research/red-curl-2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", - "value": "Shell32 DLL Execution in Suspicious Directory" - }, { "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", "meta": { @@ -73807,8 +73667,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml" ], "tags": [ @@ -73895,7 +73755,49 @@ "value": "HackTool - KrbRelay Execution" }, { - "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "value": "Invoke-Obfuscation Via Stdin" + }, + { + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022/09/01", @@ -73907,8 +73809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -73974,8 +73876,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -74091,8 +73993,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444.yml" ], "tags": [ @@ -74112,6 +74014,99 @@ "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", "value": "Potential CVE-2021-40444 Exploitation Attempt" }, + { + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "meta": { + "author": "Ilya Krestinichev", + "creation_date": "2022/11/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "value": "Suspicious Ping/Del Command Combination" + }, + { + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "meta": { + "author": "Sreeman, Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "value": "File Download with Headless Browser" + }, + { + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_registry_typed_paths_persistence.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "value": "Persistence Via TypedPaths - CommandLine" + }, { "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "meta": { @@ -74192,9 +74187,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -74227,8 +74222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -74248,39 +74243,6 @@ "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", "value": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, - { - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_remote_file_download_desktopimgdownldr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_file_download_desktopimgdownldr.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", - "value": "Remote File Download via Desktopimgdownldr Utility" - }, { "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", "meta": { @@ -74295,10 +74257,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/bohops/status/980659399495741441", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -74318,6 +74280,30 @@ "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", "value": "Potential Manage-bde.wsf Abuse To Proxy Execution" }, + { + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_imagingdevices_unusual_parents.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", + "value": "ImagingDevices Unusual Parent/Child Processes" + }, { "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", "meta": { @@ -74356,9 +74342,9 @@ "refs": [ "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ @@ -74452,6 +74438,100 @@ "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "value": "Net.exe Execution" }, + { + "description": "Detects activity that could be related to Baby Shark malware", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/02/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_babyshark.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_babyshark.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005" + ] + }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "value": "Potential Baby Shark Malware Activity" + }, + { + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "meta": { + "author": "Markus Neis, Swisscom", + "creation_date": "2020/06/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_ke3chang_tidepool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ke3chang_tidepool.yml" + ], + "tags": [ + "attack.g0004", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", + "value": "Potential Ke3chang/TidePool Malware Activity" + }, { "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "meta": { @@ -74465,9 +74545,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -74487,105 +74567,6 @@ "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Suspicious Mofcomp Execution" }, - { - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "meta": { - "author": "bohops", - "creation_date": "2022/10/30", - "falsepositive": [ - "False positives depend on custom use of vsls-agent.exe" - ], - "filename": "proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bohops/status/1583916360404729857", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "43103702-5886-11ed-9b6a-0242ac120002", - "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" - }, - { - "description": "Use of the commandline to shutdown or reboot windows", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shutdown.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ] - }, - "related": [ - { - "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", - "value": "Suspicious Execution of Shutdown" - }, - { - "description": "Detects a suspicious program execution in Outlook temp folder", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/10/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_outlook_temp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "related": [ - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "value": "Execution in Outlook Temp Folder" - }, { "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", "meta": { @@ -74672,88 +74653,70 @@ "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, { - "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "meta": { - "author": "_pete_0, TheDFIRReport", - "creation_date": "2022/02/21", - "falsepositive": [ - "During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section" - ], - "filename": "proc_creation_win_susp_codepage_lookup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1614.001" - ] - }, - "related": [ - { - "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", - "value": "CHCP CodePage Locale Lookup" - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "meta": { - "author": "Alexander Rausch", - "creation_date": "2020/06/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/27", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_redmimicry_winnti_proc.yml", + "filename": "proc_creation_win_7zip_exfil_dmp_files.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redmimicry.com/posts/redmimicry-winnti/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml" ], "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "attack.collection", + "attack.t1560.001" ] }, "related": [ { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "value": "RedMimicry Winnti Playbook Execution" + "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "value": "7Zip Compressing Dump Files" + }, + { + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ] + }, + "related": [ + { + "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "value": "Change Default File Association To Executable Via Assoc" }, { "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", @@ -74769,9 +74732,9 @@ "logsource.product": "windows", "refs": [ "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", - "https://www.joesandbox.com/analysis/790122/0/html", "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", "https://twitter.com/anfam17/status/1607477672057208835", + "https://www.joesandbox.com/analysis/790122/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml" ], "tags": [ @@ -74866,37 +74829,133 @@ "value": "Run PowerShell Script from ADS" }, { - "description": "Adversaries may abuse Visual Basic (VB) for execution", + "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", "meta": { - "author": "frack113", - "creation_date": "2022/01/02", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/14", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_cscript_vbs.yml", + "filename": "proc_creation_win_csvde_export.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cscript_vbs.yml" + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ - "attack.execution", - "attack.t1059.005" + "attack.exfiltration" + ] + }, + "uuid": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", + "value": "Active Directory Structure Export Via Csvde.EXE" + }, + { + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "meta": { + "author": "Sreeman", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_potential_persistence.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1197" ] }, "related": [ { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", - "value": "Visual Basic Script Execution" + "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "value": "Monitoring For Persistence Via BITS" + }, + { + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", + "creation_date": "2019/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_explorer_break_process_tree.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "value": "Explorer Process Tree Break" + }, + { + "description": "Attackers can use explorer.exe for evading defense mechanisms", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "creation_date": "2020/10/05", + "falsepositive": [ + "Legitimate explorer.exe run from cmd.exe" + ], + "filename": "proc_creation_win_explorer_lolbin_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", + "value": "Proxy Execution Via Explorer.exe" }, { "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", @@ -74911,8 +74970,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -74932,42 +74991,6 @@ "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, - { - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", - "creation_date": "2019/06/29", - "falsepositive": [ - "Unknown how many legitimate software products use that method" - ], - "filename": "proc_creation_win_susp_explorer_break_proctree.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", - "value": "Explorer Process Tree Break" - }, { "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "meta": { @@ -74981,10 +75004,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/lefterispan/status/1286259016436514816", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -75004,6 +75027,39 @@ "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "value": "Suspicious AgentExecutor PowerShell Execution" }, + { + "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_dir_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", + "value": "Files And Subdirectories Listing Using Dir" + }, { "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "meta": { @@ -75080,28 +75136,38 @@ "value": "WmiPrvSE Spawned PowerShell" }, { - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "description": "Attackers can use print.exe for remote file copy", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/27", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "creation_date": "2020/10/05", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_imaging_devices_unusual_parents.yml", - "level": "high", + "filename": "proc_creation_win_print_remote_file_copy.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ "attack.defense_evasion", - "attack.execution" + "attack.t1218" ] }, - "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", - "value": "ImagingDevices Unusual Parent/Child Processes" + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "value": "Abusing Print Executable" }, { "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", @@ -75283,13 +75349,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -75310,79 +75376,7 @@ "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, { - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "meta": { - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", - "creation_date": "2020/10/23", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_bad_opsec_sacrificial_processes.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" - }, - { - "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", - "meta": { - "author": "Florian Roth (Nextron Systems), Tim Shelton", - "creation_date": "2019/10/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_bluemashroom.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "related": [ - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "value": "BlueMashroom DLL Load" - }, - { - "description": "Detects use of redirection character \">\" to redicrect information in commandline", + "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", "meta": { "author": "frack113", "creation_date": "2022/01/22", @@ -75412,7 +75406,7 @@ } ], "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "value": "Redirect Output in CommandLine" + "value": "CMD Shell Output Redirect" }, { "description": "Detects usage of the SysInternals Procdump utility", @@ -75520,6 +75514,73 @@ "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download Pattern" }, + { + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_inline_win_api_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/m417z/status/1566674631788007425", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "value": "Potential WinAPI Calls Via CommandLine" + }, + { + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "meta": { + "author": "frack113", + "creation_date": "2022/12/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1546.008" + ] + }, + "related": [ + { + "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e9b61244-893f-427c-b287-3e708f321c6b", + "value": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" + }, { "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "meta": { @@ -75553,33 +75614,6 @@ "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", "value": "Local Groups Reconnaissance Via Wmic.EXE" }, - { - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/14", - "falsepositive": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" - ], - "filename": "proc_creation_win_weak_or_abused_passwords.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ] - }, - "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", - "value": "Weak or Abused Passwords In CLI" - }, { "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", "meta": { @@ -75613,6 +75647,39 @@ "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, + { + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_java_remote_debugging.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "value": "Java Running with Remote Debugging" + }, { "description": "Detects python spawning a pretty tty", "meta": { @@ -75659,8 +75726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -75680,6 +75747,39 @@ "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", "value": "Replace.exe Usage" }, + { + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2020/06/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_disable_ie_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "value": "Disabled IE Security Features" + }, { "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", "meta": { @@ -75693,8 +75793,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml" ], "tags": [ @@ -75719,8 +75819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -75741,6 +75841,59 @@ "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "value": "Indirect Command Execution By Program Compatibility Wizard" }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "proc_creation_win_tapinstall_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "99793437-3e16-439b-be0f-078782cf953d", + "value": "Tap Installer Execution" + }, + { + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "meta": { + "author": "Florian Roth (Nextron Systems), Microsoft (idea)", + "creation_date": "2022/08/04", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_iis_susp_module_registration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml" + ], + "tags": "No established tags" + }, + "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "value": "Suspicious IIS Module Registration" + }, { "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", "meta": { @@ -75755,9 +75908,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -75777,6 +75930,27 @@ "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", "value": "Powershell Base64 Encoded MpPreference Cmdlet" }, + { + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml" + ], + "tags": "No established tags" + }, + "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", + "value": "Parent in Public Folder Suspicious Process" + }, { "description": "Detects the creation of a new service using powershell.", "meta": { @@ -75813,46 +75987,38 @@ "value": "New Service Creation Using PowerShell" }, { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "description": "The OpenWith.exe executes other binary", "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/12", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "creation_date": "2019/10/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_invoke_obfuscation_via_stdin.yml", + "filename": "proc_creation_win_lolbin_openwith.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1218" ] }, "related": [ { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "value": "Invoke-Obfuscation Via Stdin" + "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", + "value": "OpenWith.exe Executes Specified Binary" }, { "description": "Execute C# code with the Build Provider and proper folder structure in place.", @@ -75887,41 +76053,6 @@ "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "value": "Suspicious aspnet_compiler.exe Execution" }, - { - "description": "Detects different loaders as described in various threat reports on Lazarus group activity", - "meta": { - "author": "Florian Roth (Nextron Systems), wagga", - "creation_date": "2020/12/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_lazarus_loader.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", - "value": "Lazarus Loaders" - }, { "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", "meta": { @@ -75936,8 +76067,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -75990,62 +76121,6 @@ "uuid": "a4824fca-976f-4964-b334-0621379e84c4", "value": "Potential File Overwrite Via Sysinternals SDelete" }, - { - "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_redirect_local_admin_share.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" - ], - "tags": "No established tags" - }, - "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", - "value": "Suspicious Redirection to Local Admin Share" - }, - { - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_script_event_consumer_spawn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", - "https://redcanary.com/blog/child-processes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "value": "Script Event Consumer Spawning Process" - }, { "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", "meta": { @@ -76110,7 +76185,196 @@ } ], "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", - "value": "Use of LogMeIn Remote Access Software" + "value": "Remote Access Tool - LogMeIn Execution" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" + }, + { + "description": "Detects Elise backdoor activity used by APT32", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2018/01/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_elise.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_elise.yml" + ], + "tags": [ + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" + ] + }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "value": "Elise Backdoor Activity" + }, + { + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_mpiexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", + "value": "MpiExec Lolbin" + }, + { + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "meta": { + "author": "Alfie Champion (ajpc500)", + "creation_date": "2021/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "value": "HackTool - F-Secure C3 Load by Rundll32" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation" }, { "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", @@ -76125,9 +76389,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -76214,62 +76478,6 @@ "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", "value": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, - { - "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_commandline_chars.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", - "value": "Suspicious Characters in CommandLine" - }, - { - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "meta": { - "author": "Florian Roth (Nextron Systems), Tigzy", - "creation_date": "2021/11/17", - "falsepositive": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" - ], - "filename": "proc_creation_win_susp_winrar_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1460978167628406785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", - "value": "Winrar Execution in Non-Standard Folder" - }, { "description": "Download or Copy file with Extrac32", "meta": { @@ -76326,39 +76534,6 @@ "uuid": "224f140f-3553-4cd1-af78-13d81bf9f7cc", "value": "Potential RDP Session Hijacking Activity" }, - { - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2020/06/19", - "falsepositive": [ - "Unknown, maybe some security software installer disables these features temporarily" - ], - "filename": "proc_creation_win_susp_disable_ie_features.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "value": "Disabled IE Security Features" - }, { "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "meta": { @@ -76395,9 +76570,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590104354727436290", - "https://twitter.com/filip_dragovic/status/1590052248260055041", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", + "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml" ], "tags": "No established tags" @@ -76406,58 +76581,28 @@ "value": "Suspicious Sysmon as Execution Parent" }, { - "description": "Detects suspicious command line to remove and 'exe' or 'dll'", + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", "meta": { "author": "frack113", - "creation_date": "2021/12/02", + "creation_date": "2022/11/17", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_del.yml", + "filename": "proc_creation_win_msbuild_susp_parent_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "204b17ae-4007-471b-917b-b917b315c5db", - "value": "Suspicious Del in CommandLine" - }, - { - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_wuauclt_cmdline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" - ], - "tags": "No established tags" - }, - "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "value": "Suspicious Windows Update Agent Empty Cmdline" + "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "value": "Suspicious Msbuild Execution By Uncommon Parent Process" }, { "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", @@ -76492,6 +76637,42 @@ "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "value": "Suspicious Calculator Usage" }, + { + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" + ], + "filename": "proc_creation_win_rar_compression_with_password.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/bash/rar.html", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", + "value": "Rar Usage with Password and Compression Level" + }, { "description": "Detects the execution of a renamed office binary", "meta": { @@ -76515,41 +76696,6 @@ "uuid": "0b0cd537-fc77-4e6e-a973-e53495c1083d", "value": "Renamed Office Binary Execution" }, - { - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_mpiexec_lolbin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", - "value": "MpiExec Lolbin" - }, { "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", "meta": { @@ -76563,8 +76709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kagancapar/CVE-2022-29072", "https://twitter.com/kagancapar/status/1515219358234161153", + "https://github.com/kagancapar/CVE-2022-29072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_29072_7zip.yml" ], "tags": [ @@ -76589,9 +76735,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_office.yml" ], "tags": [ @@ -76624,9 +76770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -76689,38 +76835,37 @@ "value": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" }, { - "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", "meta": { - "author": "frack113", - "creation_date": "2022/01/01", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/10", "falsepositive": [ - "Unknown" + "Other parent processes other than notepad++ using GUP that are not currently identified" ], - "filename": "proc_creation_win_susp_systeminfo.yml", - "level": "low", + "filename": "proc_creation_win_gup_download.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" + "https://twitter.com/nas_bench/status/1535322182863179776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_download.yml" ], "tags": [ - "attack.discovery", - "attack.t1082" + "attack.command_and_control", + "attack.t1105" ] }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", - "value": "Suspicious Execution of Systeminfo" + "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", + "value": "File Download Using Notepad++ GUP Utility" }, { "description": "Detects suspicious PowerShell scripts accessing SAM hives", @@ -76769,10 +76914,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/lefterispan/status/1286259016436514816", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -76792,38 +76937,6 @@ "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "value": "AgentExecutor PowerShell Execution" }, - { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "meta": { - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" - ], - "filename": "proc_creation_win_tap_installer_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ] - }, - "related": [ - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "99793437-3e16-439b-be0f-078782cf953d", - "value": "Tap Installer Execution" - }, { "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "meta": { @@ -76972,8 +77085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://twitter.com/harr0ey/status/992008180904419328", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -77026,81 +77139,6 @@ "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "value": "DLL Sideloading by Microsoft Defender" }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate usage of the tool" - ], - "filename": "proc_creation_win_screenconnect.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", - "value": "Use of ScreenConnect Remote Access Software" - }, - { - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/04/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_proc_dump_susp_dumpminitool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", - "value": "Suspicious DumpMinitool Usage" - }, { "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", "meta": { @@ -77169,16 +77207,50 @@ "uuid": "28ac00d6-22d9-4a3c-927f-bbd770104573", "value": "Disabled RestrictedAdminMode For RDS - ProcCreation" }, + { + "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/04", + "falsepositive": [ + "False positives may occur with troubleshooting scripts" + ], + "filename": "proc_creation_win_powershell_set_service_disabled.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "62b20d44-1546-4e61-afce-8e175eb9473c", + "value": "Service StartupType Change Via PowerShell Set-Service" + }, { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", "meta": { "author": "frack113", "creation_date": "2021/07/12", "falsepositive": [ - "Uninstall by admin" + "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", - "level": "medium", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -77200,7 +77272,7 @@ } ], "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "value": "Uninstall Crowdstrike Falcon" + "value": "Uninstall Crowdstrike Falcon Sensor" }, { "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", @@ -77215,8 +77287,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -77237,37 +77309,60 @@ "value": "Discovery of a System Time" }, { - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", "meta": { - "author": "omkar72", - "creation_date": "2020/10/25", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/02/11", "falsepositive": [ - "Unknown" + "Legitimate use by administrative staff" ], - "filename": "proc_creation_win_susp_conhost.yml", - "level": "medium", + "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost.yml" + "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.initial_access", + "attack.t1133" ] }, "related": [ { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", - "value": "Conhost Parent Process Executions" + "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "value": "Remote Access Tool - ScreenConnect Suspicious Execution" + }, + { + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", + "value": "Remote Access Tool - RURAT Execution From Unusual Location" }, { "description": "Detects a command used by conti to find volume shadow backups", @@ -77303,6 +77398,40 @@ "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "value": "Conti Volume Shadow Listing" }, + { + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "meta": { + "author": "Ján Trenčanský", + "creation_date": "2021/08/06", + "falsepositive": [ + "Legitimate deployment of AnyDesk" + ], + "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "value": "Remote Access Tool - AnyDesk Silent Installation" + }, { "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "meta": { @@ -77317,9 +77446,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -77340,37 +77469,38 @@ "value": "HackTool - PowerTool Execution" }, { - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2017/04/15", "falsepositive": [ - "Other programs that cause these patterns (please report)" + "Unknown" ], - "filename": "proc_creation_win_priv_escalation_via_named_pipe.yml", + "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" + "https://twitter.com/rikvduijn/status/853251879320662017", + "https://twitter.com/felixw3000/status/853354851128025088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1021" + "attack.defense_evasion", + "attack.t1218.011" ] }, "related": [ { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", - "value": "Privilege Escalation via Named Pipe Impersonation" + "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "value": "Suspicious Control Panel DLL Load" }, { "description": "Detects a highly relevant Antivirus alert that reports a password dumper", @@ -77385,9 +77515,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", - "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -77444,9 +77574,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -77512,10 +77642,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -77591,16 +77721,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -77633,12 +77763,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -77738,8 +77868,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -77772,8 +77902,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -77796,8 +77926,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -77820,8 +77950,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -77844,8 +77974,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -77868,8 +77998,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -77892,8 +78022,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -77926,8 +78056,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -77950,8 +78080,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -77974,8 +78104,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -77998,8 +78128,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -78036,8 +78166,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -78060,8 +78190,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -78094,8 +78224,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -78128,8 +78258,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -78162,8 +78292,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -78196,8 +78326,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -78220,8 +78350,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://o365blog.com/post/aadbackdoor/", @@ -78257,8 +78387,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -78324,8 +78454,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -78358,8 +78488,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -78392,8 +78522,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -78416,8 +78546,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -78450,8 +78580,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -78517,8 +78647,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -78655,8 +78785,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ @@ -78707,8 +78837,8 @@ "logsource.product": "github", "refs": [ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -78801,8 +78931,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -78932,10 +79062,10 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/elastic/detection-rules/pull/1267", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], @@ -78984,9 +79114,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -79214,8 +79344,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -79248,9 +79378,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -79273,8 +79403,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -79307,8 +79437,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -79331,8 +79461,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -79355,9 +79485,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], "tags": [ @@ -79380,8 +79510,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -79460,13 +79590,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -80241,8 +80371,8 @@ "logsource.product": "aws", "refs": [ "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -80647,8 +80777,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -81697,8 +81827,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -81928,10 +82058,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -82199,6 +82329,49 @@ "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", "value": "Azure Network Firewall Policy Modified or Deleted" }, + { + "description": "Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.", + "meta": { + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/03/20", + "falsepositive": [ + "Known Legacy Accounts" + ], + "filename": "azure_ad_suspicious_signin_bypassing_mfa.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", + "https://blooteem.com/march-2022", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_suspicious_signin_bypassing_mfa.yml" + ], + "tags": [ + "attack.initial_access", + "attack.credential_access", + "attack.t1078.004", + "attack.t1110" + ] + }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc", + "value": "Potential MFA Bypass Using Legacy Client Authentication" + }, { "description": "Identifies when a service principal was removed in Azure.", "meta": { @@ -83008,10 +83181,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -83079,10 +83252,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -83260,10 +83433,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -83319,8 +83492,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -83404,9 +83577,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], @@ -83509,10 +83682,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -84165,10 +84338,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -84194,10 +84367,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -84353,8 +84526,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -84387,9 +84560,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://twitter.com/sudo_sudoka/status/1323951871078223874", "https://isc.sans.edu/diary/26734", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -84423,10 +84596,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -84492,8 +84665,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml" ], "tags": [ @@ -84526,8 +84699,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -84560,8 +84733,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/pyn3rd/status/1020620932967223296", "https://github.com/LandGrey/CVE-2018-2894", + "https://twitter.com/pyn3rd/status/1020620932967223296", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml" ], "tags": [ @@ -84604,9 +84777,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", - "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", + "https://dmaasland.github.io/posts/citrix.html", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -84639,8 +84812,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", "https://github.com/search?q=CVE-2021-43798", + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -84673,8 +84846,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/pimps/JNDI-Exploit-Kit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": "No established tags" @@ -84696,10 +84869,10 @@ "logsource.product": "No established product", "refs": [ "https://twitter.com/Al1ex4/status/1382981479727128580", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://github.com/murataydemir/CVE-2021-27905", - "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://twitter.com/sec715/status/1373472323538362371", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", + "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_27905_apache_solr_exploit.yml" ], "tags": [ @@ -84770,8 +84943,8 @@ "logsource.product": "No established product", "refs": [ "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], @@ -84832,9 +85005,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -84937,8 +85110,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -85073,8 +85246,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -85107,8 +85280,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://twitter.com/yorickkoster/status/1279709009151434754", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml" @@ -85143,8 +85316,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], @@ -85211,8 +85384,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "https://github.com/rapid7/metasploit-framework/pull/17407", + "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], @@ -85247,11 +85420,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://news.ycombinator.com/item?id=29504755", "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml" ], @@ -85351,11 +85524,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -85505,8 +85678,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", "https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml" ], "tags": [ @@ -85539,8 +85712,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -85575,8 +85748,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -85710,8 +85883,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell.yml" ], @@ -85745,8 +85918,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml" ], @@ -85770,8 +85943,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/sensepost/reGeorg", + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -85804,11 +85977,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://news.ycombinator.com/item?id=29504755", "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml" ], @@ -85943,9 +86116,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://www.tenable.com/security/research/tra-2021-13", + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -85980,8 +86153,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_28188_terramaster_rce_exploit.yml" ], "tags": [ @@ -86048,10 +86221,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis", + "https://github.com/hieuminhnv/CVE-2022-21587-POC", "https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/", "https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/", - "https://github.com/hieuminhnv/CVE-2022-21587-POC", - "https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_21587_oracle_ebs.yml" ], "tags": [ @@ -86122,8 +86295,8 @@ "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://twitter.com/bl4sty/status/1445462677824761878", "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://twitter.com/bl4sty/status/1445462677824761878", "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_41773_apache_path_traversal.yml" ], @@ -86157,9 +86330,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.exploit-db.com/exploits/39161", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", + "https://www.exploit-db.com/exploits/39161", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml" ], "tags": [ @@ -86201,9 +86374,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.exploit-db.com/exploits/19525", "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -86269,8 +86442,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/aboul3la/status/1286012324722155525", "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", + "https://twitter.com/aboul3la/status/1286012324722155525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -86392,9 +86565,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/mpgn_x64/status/1216787131210829826", "https://isc.sans.edu/diary/25686", "https://support.citrix.com/article/CTX267027", - "https://twitter.com/mpgn_x64/status/1216787131210829826", "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", "https://support.citrix.com/article/CTX267679", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_19781_citrix_exploit.yml" @@ -86463,8 +86636,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/ssti-payloads", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": "No established tags" @@ -86506,8 +86679,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], @@ -86763,9 +86936,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -86975,9 +87148,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -87068,12 +87241,12 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://perishablepress.com/blacklist/ua-2013.txt", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -87093,6 +87266,41 @@ "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", "value": "Malware User Agent" }, + { + "description": "Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.", + "meta": { + "author": "Gavin Knapp", + "creation_date": "2023/03/16", + "falsepositive": [ + "Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this." + ], + "filename": "proxy_susp_ipfs_cred_harvest.yml", + "level": "low", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://blog.talosintelligence.com/ipfs-abuse/", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1056" + ] + }, + "related": [ + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eb6c2004-1cef-427f-8885-9042974e5eb6", + "value": "Suspicious Network Communication With IPFS" + }, { "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", "meta": { @@ -87183,8 +87391,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -87217,8 +87425,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -87283,8 +87491,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://twitter.com/craiu/status/1167358457344925696", + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ios_implant.yml" ], "tags": [ @@ -87469,9 +87677,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", - "https://www.spamhaus.org/statistics/tlds/", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], @@ -88009,8 +88217,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -88190,6 +88398,42 @@ "uuid": "b9d9b652-d8ed-4697-89a2-a1186ee680ac", "value": "OSACompile Run-Only Execution" }, + { + "description": "Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.", + "meta": { + "author": "Sohan G (D4rkCiph3r)", + "creation_date": "2023/03/19", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_add_to_admin_group.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/dscl.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml" + ], + "tags": [ + "attack.t1078.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0c1ffcf9-efa9-436e-ab68-23a9496ebf5b", + "value": "User Added To Admin Group - MacOS" + }, { "description": "Detects attempts to use screencapture to collect macOS screenshots", "meta": { @@ -88412,8 +88656,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -88580,9 +88824,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://linux.die.net/man/1/truncate", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/dd", - "https://linux.die.net/man/1/truncate", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -88615,8 +88859,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -88872,9 +89116,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -89182,8 +89426,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -89241,8 +89485,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -89432,8 +89676,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -89501,8 +89745,8 @@ "logsource.product": "qualys", "refs": [ "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], @@ -89522,8 +89766,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -89545,8 +89789,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -90050,9 +90294,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://linux.die.net/man/8/insmod", + "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -90107,6 +90351,41 @@ "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", "value": "Webshell Remote Command Execution" }, + { + "description": "Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.", + "meta": { + "author": "Peter Matkovski, IAI", + "creation_date": "2023/03/06", + "falsepositive": [ + "Admin or User activity are expected to generate some false positives" + ], + "filename": "lnx_auditd_unix_shell_configuration_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://www.glitch-cat.com/p/green-lambert-and-attack", + "https://objective-see.org/blog/blog_0x68.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.004" + ] + }, + "related": [ + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a94cdd87-6c54-4678-a6cc-2814ffe5a13d", + "value": "Unix Shell Configuration Modification" + }, { "description": "Detects exploitation attempt of the vulnerability described in CVE-2021-4034.", "meta": { @@ -90120,8 +90399,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/berdav/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], @@ -90155,8 +90434,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/import", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://linux.die.net/man/1/import", "https://imagemagick.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], @@ -90322,6 +90601,40 @@ "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", "value": "System and Hardware Information Discovery" }, + { + "description": "Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\nDetection rules that match only on the disabling of firewalls will miss this.\n", + "meta": { + "author": "IAI", + "creation_date": "2023/03/06", + "falsepositive": [ + "Legitimate admin activity" + ], + "filename": "lnx_auditd_modify_system_firewall.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://blog.aquasec.com/container-security-tnt-container-attack", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" + ], + "tags": [ + "attack.t1562.004", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "323ff3f5-0013-4847-bbd4-250b5edb62cc", + "value": "Modify System Firewall" + }, { "description": "Detect changes in auditd configuration files", "meta": { @@ -90335,8 +90648,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -90369,8 +90682,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -91079,10 +91392,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://linux.die.net/man/1/chage", - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://linux.die.net/man/1/chage", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -91108,14 +91421,14 @@ "author": "Pawel Mazur", "creation_date": "2021/09/03", "falsepositive": [ - "Legitimate administrative activity" + "Likely" ], "filename": "lnx_auditd_system_info_discovery.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" ], "tags": [ @@ -91135,40 +91448,6 @@ "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", "value": "System Information Discovery - Auditd" }, - { - "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", - "meta": { - "author": "Peter Matkovski", - "creation_date": "2019/05/12", - "falsepositive": [ - "Admin or User activity" - ], - "filename": "lnx_auditd_alter_bash_profile.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "MITRE Attack technique T1156; .bash_profile and .bashrc. ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml" - ], - "tags": [ - "attack.s0003", - "attack.persistence", - "attack.t1546.004" - ] - }, - "related": [ - { - "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", - "value": "Edit of .bash_profile and .bashrc" - }, { "description": "Detects overwriting (effectively wiping/deleting) of a file.", "meta": { @@ -91217,9 +91496,9 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://linux.die.net/man/8/pam_tty_audit", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -91326,9 +91605,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -91361,9 +91640,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -91666,9 +91945,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", - "https://linux.die.net/man/8/useradd", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", + "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -91835,8 +92114,8 @@ "refs": [ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "http://pastebin.com/FtygZ1cg", "https://artkond.com/2017/03/23/pivoting-guide/", + "http://pastebin.com/FtygZ1cg", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -91869,9 +92148,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", - "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -91904,8 +92183,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -92204,9 +92483,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -92437,8 +92716,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -92471,8 +92750,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -92581,9 +92860,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -92748,9 +93027,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -92890,6 +93169,42 @@ "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", "value": "Clipboard Collection with Xclip Tool" }, + { + "description": "Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".", + "meta": { + "author": "Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/03/09", + "falsepositive": [ + "Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting)." + ], + "filename": "proc_creation_lnx_remove_package.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://linuxhint.com/uninstall_yum_package/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", + "https://linuxhint.com/uninstall-debian-packages/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "95d61234-7f56-465c-6f2d-b562c6fedbc4", + "value": "Linux Package Uninstall" + }, { "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", "meta": { @@ -93045,9 +93360,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -93123,11 +93438,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -93202,10 +93517,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linux.die.net/man/8/userdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/userdel", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -93279,6 +93594,40 @@ "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", "value": "Linux Crypto Mining Indicators" }, + { + "description": "Detects usage of command line tools such as \"kill\", \"pkill\" or \"killall\" to terminate or signal a running process.", + "meta": { + "author": "Tuan Le (NCSGroup)", + "creation_date": "2023/03/16", + "falsepositive": [ + "Likely" + ], + "filename": "proc_creation_lnx_kill_process.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "64c41342-6b27-523b-5d3f-c265f3efcdb3", + "value": "Terminate Linux Process Via Kill" + }, { "description": "Detects potential overwriting and deletion of a file using DD.", "meta": { @@ -93426,8 +93775,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -93594,8 +93943,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -93628,8 +93977,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -93780,10 +94129,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -93952,8 +94301,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -94019,8 +94368,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -94372,10 +94721,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng", - "Internal Research", "https://github.com/Gui774ume/ebpfkit", + "Internal Research", "https://github.com/pathtofile/bad-bpf", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -94398,9 +94747,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -94457,9 +94806,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -94492,8 +94841,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -94526,8 +94875,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -94660,8 +95009,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -94729,8 +95078,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -94808,5 +95157,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230307 + "version": 20230329 } diff --git a/clusters/stealer.json b/clusters/stealer.json index 8fb3311..1cb8de1 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -209,7 +209,21 @@ }, "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6", "value": "Rhadamanthys" + }, + { + "description": "Python-based Stealer including Discord, Steam...", + "meta": { + "refs": [ + "https://github.com/SOrdeal/Sordeal-Stealer" + ], + "synonyms": [ + "Sordeal", + "Sordeal Stealer" + ] + }, + "uuid": "0266302b-52d3-44da-ab63-a8a6f16de737", + "value": "Sordeal-Stealer" } ], - "version": 12 + "version": 13 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d9d8c96..c929748 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2185,7 +2185,8 @@ "T-APT-12", "APT-C-20", "UAC-0028", - "FROZENLAKE" + "FROZENLAKE", + "Sofacy" ] }, "related": [ @@ -9780,7 +9781,8 @@ ], "country": "CN", "refs": [ - "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" + "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/", + "https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf" ], "synonyms": [ "UNC94" @@ -10612,7 +10614,25 @@ ], "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31", "value": "TA866" + }, + { + "description": "Since January 23, 2023, a threat actor identifying as \"Anonymous Sudan\" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be \"hacktivists,\" politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.", + "meta": { + "cfr-suspected-victims": [ + "Denmark", + "Sweden" + ], + "cfr-type-of-incident": [ + "Denial of service" + ], + "references": [ + "https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf", + "https://www.truesec.com/hub/blog/what-is-anonymous-sudan" + ] + }, + "uuid": "8ca38564-5515-45f5-9f3b-a4091546e10b", + "value": "Anonymous Sudan" } ], - "version": 262 + "version": 263 }