From e88c316e2d7b2f2468d34447e0c0b1952cba3223 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Nov 2023 09:04:04 +0100 Subject: [PATCH] chg: [sigma] updated to the latest version --- clusters/sigma-rules.json | 6122 +++++++++++++++++++++---------------- 1 file changed, 3474 insertions(+), 2648 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index ed7c795..3f0b1a6 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -99,8 +99,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -134,10 +134,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://core.telegram.org/bots/faq", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -212,8 +212,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -1209,10 +1209,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1321,8 +1321,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -1389,8 +1389,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -1590,8 +1590,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -1650,8 +1650,8 @@ "logsource.product": "zeek", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1726,12 +1726,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/corelight/CVE-2021-1675", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1863,10 +1863,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tools.ietf.org/html/rfc2929#section-2.1", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -2175,9 +2175,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://rules.sonarsource.com/java/RSPEC-2755", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", + "https://rules.sonarsource.com/java/RSPEC-2755", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -2210,8 +2210,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -2277,10 +2277,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2313,10 +2313,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2349,9 +2349,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], @@ -2375,10 +2375,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2401,10 +2401,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2437,10 +2437,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2481,10 +2481,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2517,8 +2517,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ @@ -2541,10 +2541,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2628,10 +2628,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2672,11 +2672,11 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], @@ -2700,9 +2700,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], @@ -2735,9 +2735,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], @@ -2761,10 +2761,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2787,9 +2787,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], @@ -2825,8 +2825,8 @@ "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2849,10 +2849,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -2943,11 +2943,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2981,8 +2981,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -3162,9 +3162,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", - "https://twitter.com/mrd0x/status/1460597833917251595", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3418,10 +3418,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3455,10 +3455,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3493,11 +3493,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3531,11 +3531,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3561,7 +3561,9 @@ "meta": { "author": "Christian Burkard (Nextron Systems), Tim Shelton", "creation_date": "2021/07/28", - "falsepositive": "No established falsepositives", + "falsepositive": [ + "Unknown" + ], "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", "level": "high", "logsource.category": "process_access", @@ -3633,8 +3635,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/D1rkMtr/UnhookingPatch", "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/D1rkMtr/UnhookingPatch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" ], "tags": [ @@ -3820,8 +3822,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3863,9 +3865,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -4002,8 +4004,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -4036,8 +4038,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -4094,11 +4096,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/issues/253", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -4155,8 +4157,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ @@ -4334,18 +4336,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4414,8 +4416,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -4472,8 +4474,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/malcomvetter/CSExec", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml" ], "tags": [ @@ -4558,8 +4560,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4695,8 +4697,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml" ], "tags": [ @@ -4824,8 +4826,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], "tags": [ @@ -5212,7 +5214,7 @@ "value": "Security Eventlog Cleared" }, { - "description": "Detects the mount of ISO images on an endpoint", + "description": "Detects the mount of an ISO image on an endpoint", "meta": { "author": "Syed Hasan (@syedhasan009)", "creation_date": "2021/05/29", @@ -5245,7 +5247,7 @@ } ], "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", - "value": "ISO Image Mount" + "value": "ISO Image Mounted" }, { "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", @@ -5379,8 +5381,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -5412,8 +5414,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661", "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml" ], "tags": [ @@ -5446,8 +5448,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ @@ -5513,9 +5515,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": [ @@ -5566,8 +5568,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5600,8 +5602,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5668,8 +5670,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5736,11 +5738,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/sensepost/ruler", - "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5830,9 +5832,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -6025,9 +6027,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -6202,8 +6204,8 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6328,9 +6330,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -6686,9 +6688,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6708,6 +6710,39 @@ "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "value": "Possible DC Shadow Attack" }, + { + "description": "Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\n", + "meta": { + "author": "@BarryShooshooga", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_windows_defender_exclusions_write_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a33f8808-2812-4373-ae95-8cfb82134978", + "value": "Windows Defender Exclusion Deleted" + }, { "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "meta": { @@ -6741,42 +6776,6 @@ "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, - { - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", - "meta": { - "author": "David Strassegger, Tim Shelton", - "creation_date": "2021/01/22", - "falsepositive": [ - "Software installation" - ], - "filename": "win_security_scheduled_task_deletion.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://twitter.com/matthewdunwoody/status/1352356685982146562", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "car.2013-08-001", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", - "value": "Scheduled Task Deletion" - }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", "meta": { @@ -6833,8 +6832,8 @@ "logsource.product": "windows", "refs": [ "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Live environment caused by malware", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6974,8 +6973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -7084,8 +7083,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7449,9 +7448,9 @@ "logsource.product": "windows", "refs": [ "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/Flangvik/status/1283054508084473861", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7764,9 +7763,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7862,6 +7861,39 @@ "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", "value": "Invoke-Obfuscation VAR+ Launcher - Security" }, + { + "description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n", + "meta": { + "author": "@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_windows_defender_exclusions_write_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "value": "Windows Defender Exclusion Reigstry Key - Write Access Requested" + }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "meta": { @@ -7875,8 +7907,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7940,20 +7972,20 @@ "value": "Suspicious Kerberos RC4 Ticket Encryption" }, { - "description": "Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender", + "description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\n", "meta": { "author": "@BarryShooshooga", "creation_date": "2019/10/26", "falsepositive": [ - "Intended inclusions by administrator" + "Intended exclusions by administrators" ], - "filename": "win_security_defender_bypass.yml", - "level": "high", + "filename": "win_security_windows_defender_exclusions_registry_modified.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml" ], "tags": [ "attack.defense_evasion", @@ -7969,8 +8001,8 @@ "type": "related-to" } ], - "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "value": "Windows Defender Exclusion Set" + "uuid": "46a68649-f218-4f86-aea1-16a759d81820", + "value": "Windows Defender Exclusion List Modified" }, { "description": "Detects known sensitive file extensions accessed on a network share", @@ -8059,8 +8091,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -8375,9 +8407,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -8476,16 +8508,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8689,8 +8721,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8756,8 +8788,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -8790,8 +8822,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=2053", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -9016,8 +9048,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -9038,7 +9070,7 @@ "value": "Possible PetitPotam Coerce Authentication Attempt" }, { - "description": "Detects access to a domain user from a non-machine account", + "description": "Detects read access to a domain user from a non-machine account", "meta": { "author": "Maxime Thiebaut (@0xThiebaut)", "creation_date": "2020/03/30", @@ -9050,9 +9082,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -9070,7 +9103,7 @@ } ], "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", - "value": "AD User Enumeration" + "value": "Potential AD User Enumeration From Non-Machine Account" }, { "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", @@ -9085,9 +9118,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3466", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://adsecurity.org/?p=3466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -9155,8 +9188,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -9190,9 +9223,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9276,8 +9309,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" @@ -9313,8 +9346,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -9417,9 +9450,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9554,9 +9587,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -9623,8 +9656,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -9648,8 +9681,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -9783,10 +9816,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], @@ -9889,10 +9922,10 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -10029,8 +10062,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -10115,10 +10148,10 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -10267,8 +10300,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT", + "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -10394,10 +10427,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://www.youtube.com/watch?v=ebmW42YYveI", "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], @@ -10594,9 +10627,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -10663,9 +10696,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -10698,8 +10731,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" ], "tags": [ @@ -10732,8 +10765,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" ], "tags": [ @@ -10791,7 +10824,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/31", "falsepositive": [ - "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" + "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use." ], "filename": "win_msi_install_from_susp_locations.yml", "level": "medium", @@ -10928,8 +10961,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -10953,8 +10986,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -11011,8 +11044,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -11058,9 +11091,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -11181,8 +11214,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -11215,8 +11248,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/j00sean/status/1537750439701225472", "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -11239,9 +11272,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -11264,9 +11297,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -11289,9 +11322,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -11314,10 +11347,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/SBousseaden/status/1483810148602814466", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -11340,9 +11373,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -11365,9 +11398,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -11390,9 +11423,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -11415,8 +11448,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], @@ -11450,9 +11483,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -11485,9 +11518,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -11510,9 +11543,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ @@ -11568,8 +11601,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://winaero.com/enable-openssh-server-windows-10/", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", @@ -11605,9 +11638,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11690,8 +11723,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -11834,9 +11867,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", - "Internal Research", "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", + "Internal Research", + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -11992,8 +12025,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -12093,8 +12126,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -12196,9 +12229,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], @@ -12268,8 +12301,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -12404,8 +12437,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12535,8 +12568,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -12627,8 +12660,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jonasLyk/status/1347900440000811010", - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -12682,7 +12715,7 @@ "value": "Local Privilege Escalation Indicator TabTip" }, { - "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is unsecure as the underlying encryption algorithms can be brute-forced by modern hardware.", + "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.", "meta": { "author": "Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/04/26", @@ -12757,11 +12790,13 @@ "Unknown" ], "filename": "win_system_hack_smbexec.yml", - "level": "critical", + "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", + "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], "tags": [ @@ -12845,8 +12880,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -13312,9 +13347,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -13800,8 +13835,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml" ], "tags": [ @@ -13859,8 +13894,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -14452,8 +14487,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -14598,9 +14633,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -14633,9 +14668,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -14668,8 +14703,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -14792,8 +14827,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14959,8 +14994,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -15066,11 +15101,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -15119,10 +15154,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -15145,10 +15180,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -15171,10 +15206,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -15197,10 +15232,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -15223,8 +15258,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -15247,9 +15282,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -15272,8 +15307,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -15561,8 +15596,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://twitter.com/cyb3rops/status/1659175181695287297", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -15644,8 +15679,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], @@ -15680,8 +15715,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -15900,6 +15935,39 @@ "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", "value": "Suspicious Camera and Microphone Access" }, + { + "description": "Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/11/03", + "falsepositive": [ + "Administrative activity" + ], + "filename": "registry_set_enable_anonymous_connection.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4d431012-2ab5-4db7-a84e-b29809da2172", + "value": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" + }, { "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", "meta": { @@ -15915,8 +15983,8 @@ "logsource.product": "windows", "refs": [ "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -15986,8 +16054,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -16021,8 +16089,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -16056,11 +16124,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -16129,8 +16197,8 @@ "logsource.product": "windows", "refs": [ "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", - "https://twitter.com/inversecos/status/1494174785621819397", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ @@ -16163,8 +16231,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -16779,8 +16847,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -16955,9 +17023,9 @@ "logsource.product": "windows", "refs": [ "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -16986,44 +17054,6 @@ "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "value": "Shell Open Registry Keys Manipulation" }, - { - "description": "Detects the creation of a scheduled task via Registry keys.", - "meta": { - "author": "Center for Threat Informed Defense (CTID) Summiting the Pyramid Team", - "creation_date": "2023/09/27", - "falsepositive": [ - "Normal behaviour on Windows" - ], - "filename": "registry_event_scheduled_task_creation.yml", - "level": "low", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5", - "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.t1053.005", - "car.2013-08-001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "93ff0ceb-e0ef-4586-8cd8-a6c277d738e3", - "value": "Scheduled Task Created - Registry" - }, { "description": "Detects FlowCloud malware from threat group TA410.", "meta": { @@ -17139,8 +17169,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -17314,11 +17344,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -17351,8 +17381,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" ], "tags": [ @@ -17418,8 +17448,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17476,11 +17506,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -17546,8 +17576,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -17597,7 +17627,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/24", "falsepositive": [ - "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" + "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment" ], "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml", "level": "medium", @@ -17679,9 +17709,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -17735,7 +17765,7 @@ "value": "Tamper With Sophos AV Registry Keys" }, { - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to prepend information to the PATH environment variable on a per-application, per-process basis.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/10", @@ -17747,8 +17777,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -17861,8 +17891,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -17895,8 +17925,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -18071,10 +18101,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -18133,8 +18163,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -18167,13 +18197,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -18240,8 +18270,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -18266,8 +18296,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -18355,8 +18385,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -18584,9 +18614,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -18687,8 +18717,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -18721,8 +18751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -18829,9 +18859,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -18867,8 +18897,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -19122,6 +19152,29 @@ "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "value": "COM Hijacking via TreatAs" }, + { + "description": "Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo", + "creation_date": "2023/10/18", + "falsepositive": [ + "Likely" + ], + "filename": "registry_set_powershell_enablescripts_enabled.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "8218c875-90b9-42e2-b60d-0b0069816d10", + "value": "PowerShell Script Execution Policy Enabled" + }, { "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", "meta": { @@ -19244,7 +19297,7 @@ } ], "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", - "value": "Registry Persitence via Service in Safe Mode" + "value": "Registry Persistence via Service in Safe Mode" }, { "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", @@ -19301,8 +19354,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "Internal Research", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ @@ -19335,8 +19388,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -19439,8 +19492,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -19463,8 +19516,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -19654,9 +19707,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -19796,13 +19849,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -19871,8 +19924,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -19907,8 +19960,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -20025,8 +20078,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -20160,9 +20213,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -20242,8 +20295,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], @@ -20279,8 +20332,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -20313,10 +20366,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", - "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -20349,8 +20402,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -20457,7 +20510,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/05/30", "falsepositive": [ - "Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environement." + "Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment." ], "filename": "registry_set_persistence_custom_protocol_handler.yml", "level": "medium", @@ -20497,9 +20550,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://twitter.com/M_haggis/status/1699056847154725107", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], @@ -20653,12 +20706,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], @@ -20692,8 +20745,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -20829,8 +20882,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -20915,8 +20968,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -20972,9 +21025,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -21207,8 +21260,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -21264,8 +21317,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -21302,8 +21355,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -21336,8 +21389,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://persistence-info.github.io/Data/mpnotify.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -21362,8 +21415,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -21429,8 +21482,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -21488,8 +21541,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -21510,7 +21563,7 @@ "value": "System Scripts Autorun Keys Modification" }, { - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "description": "Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", "meta": { "author": "frack113", "creation_date": "2023/01/13", @@ -21522,8 +21575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -21556,9 +21609,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -21591,9 +21644,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -21634,10 +21687,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -21704,9 +21757,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ @@ -21841,8 +21894,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/cyber-security-summit/archives", - "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21969,8 +22022,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -22172,8 +22225,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/lsaaextension.html", "https://twitter.com/0gtweet/status/1476286368385019906", + "https://persistence-info.github.io/Data/lsaaextension.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" ], "tags": [ @@ -22196,8 +22249,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -22300,8 +22353,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -22334,8 +22387,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -22368,9 +22421,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://twitter.com/VakninHai/status/1517027824984547329", "https://twitter.com/pabraeken/status/998627081360695297", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", - "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -22470,8 +22523,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/autodialdll.html", "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -22528,8 +22581,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://youtu.be/zSihR3lTf7g", + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -22564,9 +22617,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -22633,8 +22686,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/ransomware-families/", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -22665,8 +22718,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -22707,8 +22760,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -22742,8 +22795,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", + "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -22834,9 +22887,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/elastic/detection-rules/issues/1371", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], @@ -22878,8 +22931,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -22946,9 +22999,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://twitter.com/nas_bench/status/1626648985824788480", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -23015,8 +23068,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], @@ -23040,17 +23093,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -23079,7 +23132,7 @@ "value": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, { - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a suspicious or unsuale location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/28", @@ -23126,8 +23179,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -23217,7 +23270,7 @@ { "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", "meta": { - "author": "frack113, Nasreddine Bencherchali", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec", "creation_date": "2022/03/18", "falsepositive": [ "Legitimate admin script" @@ -23227,9 +23280,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -23296,9 +23351,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", - "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], @@ -23355,8 +23410,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -23485,9 +23540,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -23690,8 +23745,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_svchost_dlls.yml" ], "tags": [ @@ -23721,7 +23776,7 @@ "value": "Svchost DLL Search Order Hijack" }, { - "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", + "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/09/02", @@ -23735,8 +23790,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -23771,8 +23826,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -23815,10 +23870,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -24055,8 +24110,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://twitter.com/wdormann/status/1547583317410607110", + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -24279,40 +24334,6 @@ "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "value": "Fax Service DLL Search Order Hijack" }, - { - "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" - ], - "filename": "image_load_dll_system_drawing_load.yml", - "level": "low", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md", - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_drawing_load.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "related": [ - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", - "value": "System Drawing DLL Load" - }, { "description": "Detects loading of Amsi.dll by uncommon processes", "meta": { @@ -24326,9 +24347,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/TheD1rkMtr/AMSI_patch", "https://github.com/surya-dev-singh/AmsiBypass-OpenSession", "https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9", + "https://github.com/TheD1rkMtr/AMSI_patch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml" ], "tags": [ @@ -24522,12 +24543,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -24613,8 +24634,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "Internal Research", + "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -24679,8 +24700,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -24798,8 +24819,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/gabe-k/themebleed", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml" ], "tags": [ @@ -24875,10 +24896,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://hijacklibs.net/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -24921,8 +24942,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", + "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -24955,8 +24976,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -25152,8 +25173,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -25307,8 +25328,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -25450,8 +25471,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.py2exe.org/", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://www.py2exe.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ @@ -25512,6 +25533,39 @@ "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" }, + { + "description": "Detects loading and execution of an unsigned thor scanner binary.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/29", + "falsepositive": [ + "Other legitimate binaries named \"thor.exe\" that aren't published by Nextron Systems" + ], + "filename": "image_load_thor_unsigned_execution.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_thor_unsigned_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ea5c131b-380d-49f9-aeb3-920694da4d4b", + "value": "Suspicious Unsigned Thor Scanner Execution" + }, { "description": "Loading unsigned image (DLL, EXE) into LSASS process", "meta": { @@ -25600,10 +25654,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://github.com/tyranid/DotNetToJScript", "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -25758,8 +25812,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://twitter.com/WhichbufferArda/status/1658829954182774784", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], @@ -25802,8 +25856,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" ], "tags": [ @@ -25836,9 +25890,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -25880,8 +25934,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -26210,8 +26264,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", + "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -26394,8 +26448,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -26622,8 +26676,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -26855,10 +26909,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -27001,9 +27055,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -27036,9 +27090,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -27209,7 +27263,7 @@ } ], "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", - "value": "Alternate PowerShell Hosts" + "value": "Uncommon PowerShell Hosts" }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", @@ -27479,7 +27533,7 @@ "value": "Potential RemoteFXvGPUDisablement.EXE Abuse" }, { - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "description": "Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.", "meta": { "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "creation_date": "2022/12/10", @@ -27589,7 +27643,7 @@ "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, { - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\nthat often undergo minimal changes by attackers due to bad opsec.\n", "meta": { "author": "ok @securonix invrep_de, oscd.community", "creation_date": "2020/10/09", @@ -27601,8 +27655,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://www.mdeditor.tw/pl/pgRt", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], @@ -27636,9 +27690,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -27663,8 +27717,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -27697,8 +27751,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -27990,23 +28044,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/samratashok/nishang", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/besimorhino/powercat", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://adsecurity.org/?p=2921", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], @@ -28372,23 +28426,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/NetSPI/PowerUpSQL", "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/besimorhino/powercat", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/CsEnox/EventViewer-UACBypass", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -28602,8 +28656,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -28868,8 +28922,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -28902,8 +28956,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -29078,8 +29132,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -29178,9 +29232,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -29247,8 +29301,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -29400,8 +29454,8 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2277", - "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], @@ -29510,9 +29564,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -29545,9 +29599,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -29615,8 +29669,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -29782,11 +29836,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://woshub.com/manage-windows-firewall-powershell/", - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -29819,8 +29873,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -29909,8 +29963,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -29977,8 +30031,8 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], @@ -30202,8 +30256,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -30596,8 +30650,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -30753,8 +30807,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -30822,8 +30876,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -30856,8 +30910,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -30883,7 +30937,7 @@ "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ - "Depending on the scripts, this rule might require some initial tunning to fit the environment" + "Depending on the scripts, this rule might require some initial tuning to fit the environment" ], "filename": "posh_ps_malicious_keywords.yml", "level": "medium", @@ -31055,9 +31109,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -31117,8 +31171,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -31185,8 +31239,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -31509,8 +31563,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -31621,8 +31675,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -31688,8 +31742,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -31731,8 +31785,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -31765,8 +31819,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -31799,8 +31853,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -31900,8 +31954,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -31934,8 +31988,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -31968,8 +32022,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -32050,8 +32104,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -32183,8 +32237,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], @@ -32218,9 +32272,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ @@ -32286,8 +32340,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -32321,8 +32375,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -32342,6 +32396,40 @@ "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", "value": "Suspicious Invoke-Item From Mount-DiskImage" }, + { + "description": "Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus\n", + "meta": { + "author": "frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/16", + "falsepositive": [ + "False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.", + "As the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced" + ], + "filename": "posh_ps_get_process_security_software_discovery.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", + "value": "Security Software Discovery Via Powershell Script" + }, { "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", "meta": { @@ -32388,8 +32476,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -32422,8 +32510,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -32523,8 +32611,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -32592,8 +32680,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -32626,8 +32714,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], @@ -32669,8 +32757,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -32778,8 +32866,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -32812,10 +32900,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -32893,39 +32981,6 @@ "uuid": "55c925c1-7195-426b-a136-a9396800e29b", "value": "Potential Suspicious Windows Feature Enabled" }, - { - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_security_software_discovery.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ] - }, - "related": [ - { - "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", - "value": "Security Software Discovery by Powershell" - }, { "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", "meta": { @@ -33215,10 +33270,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -33252,8 +33307,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -33352,8 +33407,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -33427,23 +33482,23 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/samratashok/nishang", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/besimorhino/powercat", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://adsecurity.org/?p=2921", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], @@ -33577,8 +33632,8 @@ "logsource.product": "windows", "refs": [ "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -33619,8 +33674,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], @@ -33778,9 +33833,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -33954,8 +34009,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -34055,8 +34110,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -34396,8 +34451,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], @@ -34576,7 +34631,7 @@ "value": "Remote Thread Creation In Mstsc.Exe From Suspicious Location" }, { - "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", + "description": "Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/06/25", @@ -34584,7 +34639,7 @@ "Unknown" ], "filename": "create_remote_thread_win_powershell_susp_targets.yml", - "level": "high", + "level": "medium", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ @@ -34615,7 +34670,7 @@ } ], "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", - "value": "Remote Thread Creation Via PowerShell In Rundll32" + "value": "Remote Thread Creation Via PowerShell In Potentially Suspicious Target" }, { "description": "Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity", @@ -34630,8 +34685,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], @@ -34652,39 +34707,6 @@ "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "value": "Remote Thread Created In KeePass.EXE" }, - { - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_powershell_generic.yml", - "level": "medium", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "value": "Remote Thread Creation Via PowerShell" - }, { "description": "Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "meta": { @@ -34698,8 +34720,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -34798,8 +34820,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml" ], "tags": [ @@ -34866,8 +34888,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -35067,8 +35089,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/winsiderss/systeminformer", "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ @@ -35176,8 +35198,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -35210,8 +35232,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://reqrypt.org/windivert-doc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -35465,6 +35487,41 @@ "uuid": "4c5fba4a-9ef6-4f16-823d-606246054741", "value": "Dfsvc.EXE Network Connection To Uncommon Ports" }, + { + "description": "Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", + "meta": { + "author": "Kamran Saifullah", + "creation_date": "2023/11/20", + "falsepositive": [ + "Legitimate use of Visual Studio Code tunnel will also trigger this." + ], + "filename": "net_connection_win_vscode_tunnel_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4b657234-038e-4ad5-997c-4be42340bce4", + "value": "Network Connection Initiated To Visual Studio Code Tunnels Domain" + }, { "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", "meta": { @@ -35578,8 +35635,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" ], "tags": [ @@ -35673,9 +35730,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -35772,8 +35829,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -35794,12 +35851,12 @@ "value": "HH.EXE Network Connections" }, { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/10/12", "falsepositive": [ - "Legitimate use of wuauclt.exe over the network." + "Unknown" ], "filename": "net_connection_win_wuauclt_network_connection.yml", "level": "medium", @@ -35824,7 +35881,7 @@ } ], "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", - "value": "Wuauclt Network Connection" + "value": "Potentially Suspicious Wuauclt Network Connection" }, { "description": "Detects a rundll32 that communicates with public IP addresses", @@ -36080,8 +36137,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -36115,11 +36172,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -36378,11 +36435,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://youtu.be/n2dFlSaBBKo", "https://github.com/looCiprian/GC2-sheet", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://youtu.be/n2dFlSaBBKo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" ], "tags": [ @@ -36402,6 +36459,41 @@ "uuid": "7e9cf7b6-e827-11ed-a05b-0242ac120003", "value": "Suspicious Non-Browser Network Communication With Google API" }, + { + "description": "Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", + "meta": { + "author": "Kamran Saifullah", + "creation_date": "2023/11/20", + "falsepositive": [ + "Legitimate use of Devtunnels will also trigger this." + ], + "filename": "net_connection_win_devtunnel_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://cydefops.com/devtunnels-unleashed", + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4", + "value": "Network Connection Initiated To DevTunnels Domain" + }, { "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", "meta": { @@ -36543,6 +36635,42 @@ "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "value": "Suspicious Program Location with Network Connections" }, + { + "description": "Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/16", + "falsepositive": [ + "Legitimate use of ngrok domains" + ], + "filename": "net_connection_win_ngrok_domains.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/blog-post/new-ngrok-domains", + "https://ngrok.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_domains.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "18249279-932f-45e2-b37a-8925f2597670", + "value": "Communication To Ngrok Domains" + }, { "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", "meta": { @@ -36586,40 +36714,6 @@ "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "value": "RDP Over Reverse SSH Tunnel" }, - { - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/16", - "falsepositive": [ - "Legitimate use of ngrok.io" - ], - "filename": "net_connection_win_ngrok_io.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://ngrok.com/", - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.001" - ] - }, - "related": [ - { - "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "18249279-932f-45e2-b37a-8925f2597670", - "value": "Communication To Ngrok.Io" - }, { "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", "meta": { @@ -36668,8 +36762,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/mttaggart/OffensiveNotion", "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", + "https://github.com/mttaggart/OffensiveNotion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" ], "tags": [ @@ -36690,12 +36784,12 @@ "value": "Potentially Suspicious Network Connection To Notion API" }, { - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "description": "Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility", "meta": { "author": "frack113", "creation_date": "2022/01/22", "falsepositive": [ - "Legitimate script" + "Unknown" ], "filename": "net_connection_win_imewdbld.yml", "level": "high", @@ -36721,7 +36815,7 @@ } ], "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", - "value": "Download a File with IMEWDBLD.exe" + "value": "Network Connection Initiated By IMEWDBLD.EXE" }, { "description": "Detects Dllhost that communicates with public IP addresses", @@ -36736,8 +36830,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -36812,8 +36906,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://twitter.com/forensicitguy/status/1513538712986079238", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -36846,10 +36940,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -36916,8 +37010,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -36984,8 +37078,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -37011,11 +37105,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/CCob/MirrorDump", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", "https://www.google.com/search?q=procdump+lsass", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -37048,9 +37142,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -37107,8 +37201,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ @@ -37149,10 +37243,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/FireFart/hivenightmare/", - "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -37186,8 +37280,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -37211,8 +37305,8 @@ "logsource.product": "windows", "refs": [ "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -37262,11 +37356,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -37284,7 +37378,7 @@ } ], "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", - "value": "Suspicious LNK Double Extension File" + "value": "Suspicious LNK Double Extension File Created" }, { "description": "Ransomware create txt file in the user Desktop", @@ -37332,8 +37426,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -37367,7 +37461,7 @@ "value": "Creation of a Diagcab" }, { - "description": "Detects the creation of a file with the \".dmp\"/\".hdmp\" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determin the source of the crash.", + "description": "Detects the creation of a file with the \".dmp\"/\".hdmp\" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/09/07", @@ -37469,8 +37563,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -37494,12 +37588,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -37522,10 +37616,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -37545,6 +37639,41 @@ "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "value": "NTDS.DIT Creation By Uncommon Parent Process" }, + { + "description": "Detects the creation of an \"Active Directory Schema Cache File\" (.sch) file by an uncommon tool.", + "meta": { + "author": "xknow @xknow_infosec, Tim Shelton", + "creation_date": "2019/03/24", + "falsepositive": [ + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + ], + "filename": "file_event_win_adsi_cache_creation_by_uncommon_tool.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ] + }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "value": "ADSI-Cache File Creation By Uncommon Tool" + }, { "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "meta": { @@ -37636,11 +37765,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -37706,9 +37835,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], @@ -37809,8 +37938,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ @@ -37917,9 +38046,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", - "Internal Research", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "Internal Research", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -38018,9 +38147,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "http://addbalance.com/word/startup.htm", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], @@ -38176,8 +38305,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -38211,6 +38340,29 @@ "uuid": "814ddeca-3d31-4265-8e07-8cc54fb44903", "value": "LiveKD Kernel Memory Dump File Created" }, + { + "description": "Detects the creation of file by the \"node.exe\" process in the \".vscode-server\" directory. Could be a sign of remote file creation via VsCode tunnel feature\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_vscode_tunnel_remote_creation_artefacts.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "56e05d41-ce99-4ecd-912d-93f019ee0b71", + "value": "Visual Studio Code Tunnel Remote File Creation" + }, { "description": "Detects the creation of a new Outlook form which can contain malicious code", "meta": { @@ -38224,10 +38376,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -38295,8 +38447,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -38356,7 +38508,7 @@ "author": "C.J. May", "creation_date": "2022/08/09", "falsepositive": [ - "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" + "Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise" ], "filename": "file_event_win_bloodhound_collection.yml", "level": "high", @@ -38620,10 +38772,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -38656,11 +38808,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38727,26 +38879,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/besimorhino/powercat", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/adrecon/ADRecon", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/Kevin-Robertson/Powermad", "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/adrecon/ADRecon", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -38779,9 +38931,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -38816,7 +38968,7 @@ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/03/17", "falsepositive": [ - "False positives will differ depending on the environement and scripts used. Apply additional filters accordingly." + "False positives will differ depending on the environment and scripts used. Apply additional filters accordingly." ], "filename": "file_event_win_powershell_drop_binary_or_script.yml", "level": "medium", @@ -38956,8 +39108,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -39078,13 +39230,13 @@ { "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "meta": { - "author": "HieuTT35, Nasreddine Bencherchali", + "author": "HieuTT35, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019/10/24", "falsepositive": [ "System administrator creating Powershell profile manually" ], "filename": "file_event_win_susp_powershell_profile.yml", - "level": "high", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ @@ -39191,8 +39343,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -39225,8 +39377,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -39413,8 +39565,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -39482,10 +39634,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -39518,9 +39670,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -39553,9 +39705,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -39579,9 +39731,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -39612,8 +39764,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -39654,8 +39806,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -39688,8 +39840,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -39789,8 +39941,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -39997,8 +40149,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -40031,8 +40183,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ @@ -40167,8 +40319,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -40371,8 +40523,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -40395,11 +40547,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/search?q=CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/search?q=CVE-2021-36934", + "https://github.com/HuskyHacks/ShadowSteal", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -40425,7 +40577,7 @@ "author": "frack113", "creation_date": "2023/05/09", "falsepositive": [ - "False positives will differ depending on the environement and scripts used. Apply additional filters accordingly." + "False positives will differ depending on the environment and scripts used. Apply additional filters accordingly." ], "filename": "file_event_win_powershell_drop_powershell.yml", "level": "low", @@ -40726,8 +40878,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml" ], "tags": [ @@ -40853,8 +41005,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" ], "tags": [ @@ -40919,6 +41071,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml" ], @@ -40930,6 +41083,39 @@ "uuid": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca", "value": "Suspicious File Creation Activity From Fake Recycle.Bin Folder" }, + { + "description": "Detects the creation of an \"lsass.dmp\" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2023/10/19", + "falsepositive": [ + "Rare case of troubleshooting by an administrator or support that has to be investigated regardless" + ], + "filename": "file_event_win_taskmgr_lsass_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "69ca12af-119d-44ed-b50f-a47af0ebc364", + "value": "LSASS Process Memory Dump Creation Via Taskmgr.EXE" + }, { "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database)", "meta": { @@ -40963,44 +41149,6 @@ "uuid": "0b8baa3f-575c-46ee-8715-d6f28cc7d33c", "value": "NTDS.DIT Created" }, - { - "description": "Detects the creation of a scheduled task via file creation.", - "meta": { - "author": "Center for Threat Informed Defense (CTID) Summiting the Pyramid Team", - "creation_date": "2023/09/27", - "falsepositive": [ - "Normal behaviour on Windows" - ], - "filename": "file_event_win_scheduled_task_creation.yml", - "level": "low", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5", - "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.005", - "attack.s0111", - "car.2013-08-001" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a762e74f-4dce-477c-b023-4ed81df600f9", - "value": "Scheduled Task Created - FileCreation" - }, { "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", "meta": { @@ -41106,9 +41254,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -41252,39 +41400,28 @@ "value": "Potential Persistence Attempt Via ErrorHandler.Cmd" }, { - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "description": "Detects the creation of a file with the name \"code_tunnel.json\" which indicate execution and usage of VsCode tunneling utility by an \"Image\" or \"Process\" other than VsCode.\n", "meta": { - "author": "xknow @xknow_infosec, Tim Shelton", - "creation_date": "2019/03/24", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/25", "falsepositive": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + "Unknown" ], - "filename": "file_event_win_susp_adsi_cache_usage.yml", + "filename": "file_event_win_vscode_tunnel_renamed_execution.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ - "attack.t1001.003", "attack.command_and_control" ] }, - "related": [ - { - "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", - "value": "Suspicious ADSI-Cache Usage By Unknown Tool" + "uuid": "d102b8f5-61dc-4e68-bd83-9a3187c67377", + "value": "Renamed VsCode Code Tunnel Execution - File Indicator" }, { "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", @@ -41299,8 +41436,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], @@ -41401,8 +41538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ @@ -41435,10 +41572,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -41581,8 +41718,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ @@ -41615,8 +41752,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -41783,12 +41920,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -41873,8 +42010,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -41897,8 +42034,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml" ], "tags": [ @@ -41931,8 +42068,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -42022,40 +42159,6 @@ "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "value": "Suspicious Appended Extension" }, - { - "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", - "meta": { - "author": "frack113", - "creation_date": "2022/02/19", - "falsepositive": [ - "Application installation" - ], - "filename": "file_rename_win_not_dll_to_dll.yml", - "level": "medium", - "logsource.category": "file_rename", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", - "https://twitter.com/ffforward/status/1481672378639912960", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.008" - ] - }, - "related": [ - { - "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bbfd974c-248e-4435-8de6-1e938c79c5c1", - "value": "Rename Common File to DLL File" - }, { "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "meta": { @@ -42272,8 +42375,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -42476,8 +42579,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/lclevy/firepwd", "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml" ], "tags": [ @@ -42510,8 +42613,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -42544,8 +42647,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml" ], "tags": [ @@ -42600,7 +42703,7 @@ "value": "Access To Windows Credential History File By Uncommon Application" }, { - "description": "Detects file access requests to files ending with either the \".hive\"/\".reg\" extension, usally associated with Windows Registry backups.", + "description": "Detects file access requests to files ending with either the \".hive\"/\".reg\" extension, usually associated with Windows Registry backups.", "meta": { "author": "frack113", "creation_date": "2023/09/15", @@ -42698,40 +42801,6 @@ "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "value": "File Creation Date Changed to Another Year" }, - { - "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_lolbin_appinstaller.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "value": "AppX Package Installation Attempts Via AppInstaller" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -42745,11 +42814,11 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -42802,6 +42871,41 @@ "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "value": "DNS HybridConnectionManager Service Bus" }, + { + "description": "Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", + "meta": { + "author": "citron_ninja", + "creation_date": "2023/10/25", + "falsepositive": [ + "Legitimate use of Visual Studio Code tunnel will also trigger this." + ], + "filename": "dns_query_win_vscode_tunnel_communication.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b3e6418f-7c7a-4fad-993a-93b65027a9f1", + "value": "DNS Query To Visual Studio Code Tunnels Domain" + }, { "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "meta": { @@ -42982,8 +43086,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -43003,6 +43107,40 @@ "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", "value": "Suspicious Cobalt Strike DNS Beaconing - Sysmon" }, + { + "description": "Detects DNS queries made by \"AppInstaller.EXE\". The AppInstaller is the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL\n", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_appinstaller.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppX Package Installation Attempts Via AppInstaller.EXE" + }, { "description": "Detects DNS queries initiated by \"Regsvr32.exe\"", "meta": { @@ -43079,6 +43217,41 @@ "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "value": "DNS Query Tor .Onion Address - Sysmon" }, + { + "description": "Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", + "meta": { + "author": "citron_ninja", + "creation_date": "2023/10/25", + "falsepositive": [ + "Legitimate use of Devtunnels will also trigger this." + ], + "filename": "dns_query_win_devtunnels_communication.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://cydefops.com/devtunnels-unleashed", + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b", + "value": "DNS Query To Devtunnels Domain" + }, { "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", "meta": { @@ -43092,8 +43265,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], @@ -43127,12 +43300,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://redcanary.com/blog/raspberry-robin/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://redcanary.com/blog/raspberry-robin/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -43153,7 +43326,7 @@ "value": "New DLL Registered Via Odbcconf.EXE" }, { - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "description": "Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/17", @@ -43209,42 +43382,6 @@ "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "value": "Webshell Hacking Activity Patterns" }, - { - "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2022/06/09", - "falsepositive": [ - "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" - ], - "filename": "proc_creation_win_lolbin_squirrel.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", - "value": "Use of Squirrel.exe" - }, { "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.", "meta": { @@ -43348,8 +43485,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -43382,8 +43519,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -43416,8 +43553,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.cobaltstrike.com/help-windows-executable", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], @@ -43451,8 +43588,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ @@ -43532,12 +43669,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -43711,8 +43848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -43852,8 +43989,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], @@ -43887,8 +44024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml" ], @@ -43943,9 +44080,9 @@ "value": "Use Icacls to Hide File to Everyone" }, { - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unknown" @@ -43955,8 +44092,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -44026,8 +44163,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -44161,8 +44298,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], @@ -44197,8 +44334,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -44231,8 +44368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], @@ -44300,13 +44437,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -44341,12 +44478,12 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/xorJosh/status/1598646907802451969", + "https://ngrok.com/docs", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://ngrok.com/docs", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -44413,8 +44550,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -44447,14 +44584,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -44495,9 +44632,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], @@ -44580,8 +44717,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" ], "tags": [ @@ -44659,9 +44796,9 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://redcanary.com/blog/yellow-cockatoo/", "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -44819,9 +44956,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -44876,6 +45013,41 @@ "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", "value": "PDQ Deploy Remote Adminstartion Tool Execution" }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wuauclt_dll_loading.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", + "value": "Proxy Execution Via Wuauclt.EXE" + }, { "description": "Detects WMI script event consumers", "meta": { @@ -44925,6 +45097,7 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ @@ -45067,8 +45240,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -45101,8 +45274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", + "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ @@ -45190,16 +45363,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -45219,6 +45392,41 @@ "uuid": "41421f44-58f9-455d-838a-c398859841d4", "value": "ETW Logging Tamper In .NET Processes" }, + { + "description": "Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\nThis detection focuses on the keywords that the attacker might use as a filter.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2023/10/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_security_keyword_lookup.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "related": [ + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4fe074b4-b833-4081-8f24-7dcfeca72b42", + "value": "Security Tools Keyword Lookup Via Findstr.EXE" + }, { "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", "meta": { @@ -45266,9 +45474,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -45288,42 +45496,6 @@ "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", "value": "Suspicious Schtasks Schedule Types" }, - { - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2021/05/22", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" - ], - "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.poweradmin.com/paexec/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "207b0396-3689-42d9-8399-4222658efc99", - "value": "Potential Privilege Escalation To LOCAL SYSTEM" - }, { "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", "meta": { @@ -45481,9 +45653,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -45733,8 +45905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -45768,8 +45940,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://linux.die.net/man/1/bash", "Internal Research", + "https://linux.die.net/man/1/bash", "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], @@ -45790,64 +45962,6 @@ "uuid": "2d22a514-e024-4428-9dba-41505bd63a5b", "value": "Indirect Command Execution From Script File Via Bash.EXE" }, - { - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "meta": { - "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", - "creation_date": "2017/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_webshell_detection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ] - }, - "related": [ - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", - "value": "Webshell Detection With Command Line Keywords" - }, { "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", "meta": { @@ -45861,8 +45975,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ @@ -45970,8 +46084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.autohotkey.com/download/", "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", + "https://www.autohotkey.com/download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -45995,8 +46109,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bryon_/status/975835709587075072", - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -46169,9 +46283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], @@ -46290,8 +46404,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], @@ -46408,10 +46522,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -46486,8 +46600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ @@ -46529,8 +46643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -46661,20 +46775,20 @@ "value": "Potentially Suspicious WebDAV LNK Execution" }, { - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "description": "Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\nThe downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\\"\n", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/19", + "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel", + "creation_date": "2023/11/09", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_mspub_download.yml", + "filename": "proc_creation_win_susp_ms_appinstaller_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml" ], "tags": [ "attack.defense_evasion", @@ -46691,8 +46805,8 @@ "type": "related-to" } ], - "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", - "value": "Arbitrary File Download Via MSPUB.EXE" + "uuid": "180c7c5c-d64b-4a63-86e9-68910451bc8b", + "value": "Potential File Download Via MS-AppInstaller Protocol Handler" }, { "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", @@ -46767,7 +46881,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/03/10", "falsepositive": [ - "Legitimate activity is expected since extracting files with a password can be common in some environement." + "Legitimate activity is expected since extracting files with a password can be common in some environment." ], "filename": "proc_creation_win_7zip_password_extraction.yml", "level": "medium", @@ -46807,9 +46921,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -46925,8 +47039,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -46975,8 +47089,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -47042,8 +47156,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -47217,9 +47331,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], @@ -47255,8 +47369,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -47289,8 +47403,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], @@ -47325,10 +47439,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -47445,9 +47559,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -47548,8 +47662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -47582,8 +47696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -47606,9 +47720,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -47642,8 +47756,8 @@ "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -47677,8 +47791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -47765,25 +47879,24 @@ "value": "Execution in Webserver Root Folder" }, { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "description": "Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", - "creation_date": "2020/10/12", + "author": "Sreeman", + "creation_date": "2020/03/13", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_wuauclt.yml", - "level": "high", + "filename": "proc_creation_win_appvlp_uncommon_child_process.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml" ], "tags": [ - "attack.defense_evasion", "attack.t1218", + "attack.defense_evasion", "attack.execution" ] }, @@ -47796,8 +47909,8 @@ "type": "related-to" } ], - "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", - "value": "Proxy Execution via Wuauclt" + "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "value": "Uncommon Child Process Of Appvlp.EXE" }, { "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", @@ -47812,9 +47925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unicode-explorer.com/c/202E", - "https://redcanary.com/blog/right-to-left-override/", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", + "https://redcanary.com/blog/right-to-left-override/", + "https://unicode-explorer.com/c/202E", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -47848,8 +47961,8 @@ "logsource.product": "windows", "refs": [ "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -47891,9 +48004,9 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -47993,14 +48106,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -48042,9 +48155,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -48177,8 +48290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -48211,8 +48324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -48296,8 +48409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], @@ -48399,9 +48512,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/vysecurity/status/885545634958385153", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" @@ -48561,8 +48674,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], @@ -48596,8 +48709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -48832,7 +48945,7 @@ "creation_date": "2023/08/06", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_gpg4win_portable_execution.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -48872,8 +48985,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", - "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://blog.viettelcybersecurity.com/saml-show-stopper/", + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -48908,8 +49021,8 @@ "logsource.product": "windows", "refs": [ "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -48944,8 +49057,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -49131,8 +49244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -49165,9 +49278,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml" ], "tags": [ @@ -49370,9 +49483,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], @@ -49437,8 +49550,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -49480,8 +49593,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -49514,8 +49627,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -49549,8 +49662,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -49641,8 +49754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" ], "tags": [ @@ -49662,6 +49775,42 @@ "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", "value": "New ActiveScriptEventConsumer Created Via Wmic.EXE" }, + { + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/05/22", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + ], + "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "207b0396-3689-42d9-8399-4222658efc99", + "value": "Potential Privilege Escalation To LOCAL SYSTEM" + }, { "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", "meta": { @@ -49675,8 +49824,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -49921,10 +50070,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -49958,9 +50107,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://www.revshells.com/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -50119,8 +50268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -50204,15 +50353,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -50254,8 +50403,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -50322,11 +50471,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://man.openbsd.org/ssh_config#ProxyCommand", - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://gtfobins.github.io/gtfobins/ssh/", "https://man.openbsd.org/ssh_config#LocalCommand", + "https://gtfobins.github.io/gtfobins/ssh/", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -50346,30 +50495,6 @@ "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Lolbin Ssh.exe Use As Proxy" }, - { - "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_curl_download_direct_ip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "5cb299fc-5fb1-4d07-b989-0644c68b6043", - "value": "Suspicious File Download From IP Via Curl.EXE" - }, { "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", "meta": { @@ -50383,8 +50508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -50525,8 +50650,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], @@ -50551,8 +50676,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -50597,9 +50722,9 @@ "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", - "https://twitter.com/Max_Mal_/status/1633863678909874176", - "https://twitter.com/_JohnHammond/status/1588155401752788994", "Internal Research", + "https://twitter.com/_JohnHammond/status/1588155401752788994", + "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -50619,48 +50744,6 @@ "uuid": "f99abdf0-6283-4e71-bd2b-b5c048a94743", "value": "Potentially Suspicious Office Document Executed From Trusted Location" }, - { - "description": "Detects code execution via the Windows Update client (wuauclt)", - "meta": { - "author": "FPT.EagleEye Team", - "creation_date": "2020/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wuauclt_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", - "value": "Windows Update Client LOLBIN" - }, { "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", "meta": { @@ -50773,13 +50856,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -50812,10 +50895,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], @@ -50869,6 +50953,41 @@ "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "value": "Potential RDP Tunneling Via SSH" }, + { + "description": "Detects usage of \"IMEWDBLD.exe\" to download arbitrary files", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2023/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_imewbdld_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "863218bd-c7d0-4c52-80cd-0a96c09f54af", + "value": "Arbitrary File Download Via IMEWDBLD.EXE" + }, { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "meta": { @@ -51072,7 +51191,41 @@ "value": "HackTool - Impersonate Execution" }, { - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_presentationhost_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "value": "Arbitrary File Download Via PresentationHost.EXE" + }, + { + "description": "Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)", "meta": { "author": "Andreas Hunkeler (@Karneades), Florian Roth", "creation_date": "2021/12/17", @@ -51094,7 +51247,7 @@ ] }, "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "value": "Suspicious Shells Spawned by Java" + "value": "Suspicious Processes Spawned by Java.EXE" }, { "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", @@ -51177,9 +51330,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -51246,9 +51399,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -51315,8 +51468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ @@ -51350,9 +51503,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -51408,8 +51561,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325", + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -51589,8 +51742,8 @@ "logsource.product": "windows", "refs": [ "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -51703,9 +51856,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -51730,8 +51883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -51764,9 +51917,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1583356502340870144", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", - "https://twitter.com/0gtweet/status/1583356502340870144", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], @@ -51808,10 +51961,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -52243,8 +52396,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -52312,8 +52465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -52347,10 +52500,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -52405,39 +52558,6 @@ "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", "value": "PowerShell Script Run in AppData" }, - { - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_installutil_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", - "value": "Suspicious Execution of InstallUtil To Download" - }, { "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", "meta": { @@ -52484,9 +52604,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -52587,10 +52707,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -52640,10 +52760,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -52676,8 +52796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -52766,9 +52886,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -52968,8 +53088,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -53011,11 +53131,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -53220,6 +53340,41 @@ "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "value": "Format.com FileSystem LOLBIN" }, + { + "description": "Detects the excution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example. Attackers often time use this to extract specific information they require in their chain.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2023/07/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_recon_pipe_output.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ccb5742c-c248-4982-8c5c-5571b9275ad3", + "value": "Recon Command Output Piped To Findstr.EXE" + }, { "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "meta": { @@ -53233,9 +53388,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -53263,49 +53418,6 @@ "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "value": "Potential Credential Dumping Via LSASS Process Clone" }, - { - "description": "Detect the use of Windows Defender to download payloads", - "meta": { - "author": "Matthew Matchen", - "creation_date": "2020/09/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", - "value": "Windows Defender Download Activity" - }, { "description": "Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", "meta": { @@ -53319,8 +53431,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -53353,11 +53465,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -53434,8 +53546,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -53501,13 +53613,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -53540,9 +53652,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], @@ -53619,8 +53731,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/electron/rcedit", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], @@ -53679,9 +53791,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -53749,8 +53861,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -53784,8 +53896,8 @@ "logsource.product": "windows", "refs": [ "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -53818,8 +53930,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -53869,9 +53981,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], @@ -53978,39 +54090,6 @@ "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", "value": "Suspicious PowerShell Invocation From Script Engines" }, - { - "description": "Detects when a user downloads file by using CertOC.exe", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/05/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_certoc_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "value": "Suspicious File Download via CertOC.exe" - }, { "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", "meta": { @@ -54057,8 +54136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -54093,8 +54172,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], @@ -54138,9 +54217,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -54207,8 +54286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" ], "tags": [ @@ -54228,40 +54307,6 @@ "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "value": "Potential SPN Enumeration Via Setspn.EXE" }, - { - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_presentationhost_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", - "value": "Download Arbitrary Files Via PresentationHost.exe" - }, { "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", "meta": { @@ -54365,10 +54410,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -54401,12 +54446,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://positive.security/blog/ms-officecmd-rce", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://positive.security/blog/ms-officecmd-rce", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml" ], "tags": [ @@ -54498,6 +54543,40 @@ "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", "value": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, + { + "description": "Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2023/11/09", + "falsepositive": [ + "Msxsl is not installed by default and is deprecated, so unlikely on most systems." + ], + "filename": "proc_creation_win_msxsl_remote_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ] + }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "75d0a94e-6252-448d-a7be-d953dff527bb", + "value": "Remote XSL Execution Via Msxsl.EXE" + }, { "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", "meta": { @@ -54544,8 +54623,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -54579,9 +54658,9 @@ "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -54763,9 +54842,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -54807,8 +54886,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], @@ -54829,65 +54908,6 @@ "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "value": "Esentutl Steals Browser Information" }, - { - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "meta": { - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", - "creation_date": "2020/10/05", - "falsepositive": [ - "Administrative findstr usage" - ], - "filename": "proc_creation_win_lolbin_findstr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", - "value": "Abusing Findstr for Defense Evasion" - }, { "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "meta": { @@ -54901,9 +54921,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], @@ -54983,8 +55003,8 @@ "refs": [ "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -55040,8 +55060,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -55124,8 +55144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -55191,8 +55211,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -55242,8 +55262,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -55276,8 +55296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" ], "tags": [ @@ -55310,9 +55330,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.gpg4win.de/documentation.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.gpg4win.de/documentation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -55359,9 +55379,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -55585,10 +55605,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", - "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -55621,8 +55641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ @@ -55722,9 +55742,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], @@ -55778,6 +55798,41 @@ "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "value": "Suspicious Execution From GUID Like Folder Names" }, + { + "description": "Detects the installation of VsCode tunnel (code-tunnel) as a service.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/25", + "falsepositive": [ + "Legitimate installation of code-tunnel as a service" + ], + "filename": "proc_creation_win_vscode_tunnel_service_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "30bf1789-379d-4fdc-900f-55cd0a90a801", + "value": "Visual Studio Code Tunnel Service Installation" + }, { "description": "Detects creation of a scheduled task with a GUID like name", "meta": { @@ -55791,8 +55846,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -55924,8 +55979,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -56026,8 +56081,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://twitter.com/RedDrip7/status/1506480588827467785", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -56060,8 +56115,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -56169,8 +56224,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ @@ -56203,9 +56258,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://redcanary.com/blog/child-processes/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -56314,8 +56369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -56397,8 +56452,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ @@ -56534,8 +56589,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -56604,8 +56659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -56639,8 +56694,8 @@ "logsource.product": "windows", "refs": [ "https://www.php.net/manual/en/features.commandline.php", - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -56683,6 +56738,42 @@ "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "value": "Suspicious Workstation Locking via Rundll32" }, + { + "description": "Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2022/06/09", + "falsepositive": [ + "Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)" + ], + "filename": "proc_creation_win_squirrel_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c", + "value": "Arbitrary File Download Via Squirrel.EXE" + }, { "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "meta": { @@ -56696,8 +56787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -56808,11 +56899,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -56935,8 +57026,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -56960,9 +57051,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -57216,8 +57307,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ @@ -57287,9 +57378,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -57309,47 +57400,6 @@ "uuid": "8e3c7994-131e-4ba5-b6ea-804d49113a26", "value": "Uncommon Child Process Spawned By Odbcconf.EXE" }, - { - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "meta": { - "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Particular web applications may spawn a shell process legitimately" - ], - "filename": "proc_creation_win_webshell_spawn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ] - }, - "related": [ - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", - "value": "Shells Spawned by Web Servers" - }, { "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", "meta": { @@ -57363,14 +57413,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -57479,8 +57529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -57533,6 +57583,39 @@ "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "value": "HackTool - CreateMiniDump Execution" }, + { + "description": "Detects when a user downloads a file by using CertOC.exe", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certoc_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "value": "File Download via CertOC.EXE" + }, { "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "meta": { @@ -57546,9 +57629,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -57646,9 +57729,9 @@ "value": "PowerShell Get-Clipboard Cmdlet Via CLI" }, { - "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "description": "Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks", "meta": { - "author": "Bhabesh Raj", + "author": "Bhabesh Raj, X__Junior (Nextron Systems)", "creation_date": "2021/07/30", "falsepositive": [ "System administrator Usage" @@ -57658,8 +57741,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -57677,7 +57760,7 @@ } ], "uuid": "9f107a84-532c-41af-b005-8d12a607639f", - "value": "Suspicious Cabinet File Expansion" + "value": "Potentially Suspicious Cabinet File Expansion" }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", @@ -57693,8 +57776,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/frack113/status/1555830623633375232", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -57817,8 +57900,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -57841,13 +57924,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -57923,8 +58006,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -57959,10 +58042,10 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://twitter.com/christophetd/status/1164506034720952320", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -58063,12 +58146,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -58109,8 +58192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -58136,7 +58219,7 @@ "author": "Michael Haag", "creation_date": "2019/01/16", "falsepositive": [ - "Some additional tunning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy." + "Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy." ], "filename": "proc_creation_win_wscript_cscript_script_exec.yml", "level": "medium", @@ -58183,12 +58266,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885258886428725250", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479106975967240209", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/eral4m/status/1479106975967240209", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -58289,8 +58372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], @@ -58349,8 +58432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Tylous/ZipExec", "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml" ], "tags": [ @@ -58456,6 +58539,40 @@ "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", "value": "Explorer NOUACCHECK Flag" }, + { + "description": "Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/07/01", + "falsepositive": [ + "Legitimate \".xbap\" being executed via \"PresentationHost\"" + ], + "filename": "proc_creation_win_presentationhost_uncommon_location_exec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "value": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" + }, { "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", "meta": { @@ -58572,9 +58689,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -58801,8 +58918,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", + "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -58836,10 +58953,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ @@ -58872,10 +58989,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://blog.alyac.co.kr/1901", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://blog.alyac.co.kr/1901", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], @@ -59061,8 +59178,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -59192,7 +59309,7 @@ "value": "Regsvr32 DLL Execution With Uncommon Extension" }, { - "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "description": "Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/12/27", @@ -59239,8 +59356,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], @@ -59441,8 +59558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -59463,37 +59580,38 @@ "value": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" }, { - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "description": "Detects when a user downloads a file from an IP based URL using CertOC.exe", "meta": { - "author": "Cian Heasley, Florian Roth", - "creation_date": "2020/07/22", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/18", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_webshell_recon_detection.yml", + "filename": "proc_creation_win_certoc_download_direct_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml" ], "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.command_and_control", + "attack.execution", + "attack.t1105" ] }, "related": [ { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", - "value": "Webshell Recon Detection Via CommandLine & Processes" + "uuid": "b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a", + "value": "File Download From IP Based URL Via CertOC.EXE" }, { "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", @@ -59541,8 +59659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -59575,9 +59693,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -59601,9 +59719,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -59769,8 +59887,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -59886,9 +60004,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -59988,9 +60106,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -60072,8 +60190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ @@ -60148,10 +60266,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -60269,8 +60387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ @@ -60369,13 +60487,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -60432,8 +60550,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -60504,7 +60622,7 @@ "value": "Root Certificate Installed From Susp Locations" }, { - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", "meta": { "author": "Sreeman", "creation_date": "2020/01/13", @@ -60585,8 +60703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -60619,10 +60737,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -60655,8 +60773,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], @@ -60678,39 +60796,6 @@ "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "value": "Firewall Disabled via Netsh.EXE" }, - { - "description": "Detects execution of the IEExec utility to download payloads", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/05/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "value": "Abusing IEExec To Download Payloads" - }, { "description": "Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", "meta": { @@ -60724,8 +60809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -60808,8 +60893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], @@ -60843,8 +60928,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -60910,8 +60995,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -60969,8 +61054,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml" ], "tags": [ @@ -61073,8 +61158,8 @@ "refs": [ "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -61117,6 +61202,40 @@ "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "value": "SystemStateBackup Deleted Using Wbadmin.EXE" }, + { + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)\n", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_protocolhandler_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", + "value": "File Download Using ProtocolHandler.exe" + }, { "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", "meta": { @@ -61166,8 +61285,8 @@ "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -61312,9 +61431,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -61381,8 +61500,8 @@ "logsource.product": "windows", "refs": [ "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -61415,8 +61534,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -61463,10 +61582,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -61574,8 +61693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -61641,10 +61760,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], @@ -61678,8 +61797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -61779,8 +61898,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -61866,10 +61985,10 @@ } ], "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", - "value": "Remote File Download via Desktopimgdownldr Utility" + "value": "Remote File Download Via Desktopimgdownldr Utility" }, { - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/02/26", @@ -61914,9 +62033,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ @@ -61958,8 +62077,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], @@ -61993,8 +62112,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -62050,8 +62169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], @@ -62085,8 +62204,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml" ], "tags": [ @@ -62119,9 +62238,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -62230,11 +62349,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -62267,9 +62386,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/frgnca/AudioDeviceCmdlets", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -62302,9 +62421,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -62324,6 +62443,40 @@ "uuid": "435e10e4-992a-4281-96f3-38b11106adde", "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" }, + { + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mspub_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mspub_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", + "value": "Arbitrary File Download Via MSPUB.EXE" + }, { "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", "meta": { @@ -62337,10 +62490,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -62374,8 +62527,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -62442,8 +62595,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -62682,13 +62835,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://positive.security/blog/ms-officecmd-rce", - "https://github.com/mttaggart/quasar", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://taggart-tech.com/quasar-electron/", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://positive.security/blog/ms-officecmd-rce", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://github.com/mttaggart/quasar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -62787,9 +62940,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -62926,37 +63079,47 @@ "value": "Local Accounts Discovery" }, { - "description": "Detects execution of \"findstr\" as a child process of potentially suspicious parent command lines. This is often the case when \"findstr\" is used to filter out the results of certain reconnaissance commands such as \"tasklist\" or \"ipconfig /all\"", + "description": "Detects the use of Windows Defender MpCmdRun.EXE to download files", "meta": { - "author": "frack113", - "creation_date": "2023/07/06", + "author": "Matthew Matchen", + "creation_date": "2020/09/04", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_findstr_susp_parent.yml", - "level": "medium", + "filename": "proc_creation_win_mpcmdrun_download_arbitrary_file.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml" + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ - "attack.discovery", - "attack.t1057" + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" ] }, "related": [ { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ccb5742c-c248-4982-8c5c-5571b9275ad3", - "value": "Potentially Suspicious Findstr.EXE Execution" + "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", + "value": "File Download Via Windows Defender MpCmpRun.EXE" }, { "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", @@ -63081,8 +63244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1616702107242971144", "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", + "https://twitter.com/malmoeb/status/1616702107242971144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ @@ -63139,9 +63302,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -63182,8 +63345,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], @@ -63238,7 +63401,7 @@ "value": "Schtasks From Suspicious Folders" }, { - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/09", @@ -63357,8 +63520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -63378,29 +63541,6 @@ "uuid": "f35c5d71-b489-4e22-a115-f003df287317", "value": "Potential CobaltStrike Process Patterns" }, - { - "description": "Detects usage of the wevtutil utility to perform reconnaissance", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/09", - "falsepositive": [ - "Legitimate usage of the utility by administrators to query the event log" - ], - "filename": "proc_creation_win_wevtutil_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" - ], - "tags": [ - "attack.discovery" - ] - }, - "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", - "value": "Potential Recon Activity Using Wevtutil" - }, { "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "meta": { @@ -63414,9 +63554,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -63439,10 +63579,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -63475,9 +63615,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], @@ -63544,8 +63684,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", + "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], @@ -63580,9 +63720,9 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -63605,7 +63745,7 @@ { "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2019/08/24", "falsepositive": [ "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", @@ -63617,11 +63757,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -63730,8 +63870,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], @@ -63955,8 +64095,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -63989,8 +64129,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml" ], "tags": [ @@ -64076,6 +64216,39 @@ "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", "value": "Potential Dosfuscation Activity" }, + { + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2019/02/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_calc_uncommon_exec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ItsReallyNick/status/1094080242686312448", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "value": "Suspicious Calculator Usage" + }, { "description": "Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow", "meta": { @@ -64089,8 +64262,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -64153,40 +64326,6 @@ "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Potential Encoded PowerShell Patterns In CommandLine" }, - { - "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", - "meta": { - "author": "frack113", - "creation_date": "2021/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_protocolhandler_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", - "value": "File Download Using ProtocolHandler.exe" - }, { "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", "meta": { @@ -64258,11 +64397,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -64328,13 +64467,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -64442,8 +64581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -64477,9 +64616,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -64658,6 +64797,41 @@ "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "value": "Write Protect For Storage Disabled" }, + { + "description": "Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_vscode_tunnel_renamed_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2cf29f11-e356-4f61-98c0-1bdb9393d6da", + "value": "Renamed Visual Studio Code Tunnel Execution" + }, { "description": "Detects when verclsid.exe is used to run COM object via GUID", "meta": { @@ -64706,8 +64880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], @@ -64776,10 +64950,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -64889,8 +65063,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/frack113/status/1555830623633375232", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -64924,11 +65098,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -64957,6 +65131,65 @@ "uuid": "add64136-62e5-48ea-807e-88638d02df1e", "value": "Fsutil Suspicious Invocation" }, + { + "description": "Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.\n", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrative or software activity" + ], + "filename": "proc_creation_win_findstr_subfolder_search.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "04936b66-3915-43ad-a8e5-809eadfd1141", + "value": "Insensitive Subfolder Search Via Findstr.EXE" + }, { "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "meta": { @@ -65004,8 +65237,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -65070,8 +65303,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -65114,7 +65347,7 @@ ] }, "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", - "value": "Shells Spawned by Java" + "value": "Shell Process Spawned by Java.EXE" }, { "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", @@ -65162,9 +65395,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -65213,11 +65446,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], @@ -65251,9 +65484,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], @@ -65287,8 +65520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -65418,8 +65651,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -65646,8 +65879,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -65689,8 +65922,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -65825,8 +66058,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478116126005641220", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://twitter.com/mrd0x/status/1478116126005641220", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -65844,7 +66077,7 @@ } ], "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", - "value": "File Download From Browser Process Via Inline Link" + "value": "File Download From Browser Process Via Inline URL" }, { "description": "Detects usage of winget to add new potentially suspicious download sources", @@ -65894,8 +66127,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -65996,8 +66229,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -66182,8 +66415,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -66237,6 +66470,41 @@ "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "value": "Potential NTLM Coercion Via Certutil.EXE" }, + { + "description": "Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), citron_ninja", + "creation_date": "2023/10/25", + "falsepositive": [ + "Legitimate use of Visual Studio Code tunnel" + ], + "filename": "proc_creation_win_vscode_tunnel_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90d6bd71-dffb-4989-8d86-a827fedd6624", + "value": "Visual Studio Code Tunnel Execution" + }, { "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "meta": { @@ -66342,10 +66610,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://twitter.com/mattifestation/status/986280382042595328", "https://atomicredteam.io/defense-evasion/T1220/", "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -66470,8 +66738,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -66527,10 +66795,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -66643,40 +66911,6 @@ "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", "value": "Exports Registry Key To a File" }, - { - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_msohtmed_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", - "value": "Download Arbitrary Files Via MSOHTMED.EXE" - }, { "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", "meta": { @@ -66691,9 +66925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -66809,13 +67043,12 @@ "value": "WmiPrvSE Spawned A Process" }, { - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "description": "Detects the execution of WMIC with the \"format\" flag to potentially load XSL files.\nAdversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.\n", "meta": { "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "creation_date": "2019/10/21", "falsepositive": [ "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", "Static format arguments - https://petri.com/command-line-wmi-part-3" ], "filename": "proc_creation_win_wmic_xsl_script_processing.yml", @@ -66841,7 +67074,7 @@ } ], "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", - "value": "XSL Script Processing" + "value": "XSL Script Execution Via WMIC.EXE" }, { "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", @@ -66889,8 +67122,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -66925,8 +67158,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -67089,10 +67322,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -67128,9 +67361,9 @@ "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -67198,11 +67431,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/CCob/MirrorDump", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", "https://github.com/Hackndo/lsassy", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -67378,8 +67611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], @@ -67413,10 +67646,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -67483,8 +67716,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], "tags": [ @@ -67517,9 +67750,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", + "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -67586,8 +67819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -67620,8 +67853,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml" ], "tags": [ @@ -67705,10 +67938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ @@ -67808,10 +68041,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -67844,9 +68077,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], @@ -67880,8 +68113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", + "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ @@ -67915,8 +68148,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -68024,9 +68257,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -68050,8 +68283,8 @@ "logsource.product": "windows", "refs": [ "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -68093,17 +68326,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -68154,10 +68387,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://github.com/Neo23x0/DLLRunner", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], "tags": [ @@ -68291,10 +68524,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", - "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], "tags": [ @@ -68314,40 +68547,6 @@ "uuid": "9d5a1274-922a-49d0-87f3-8c653483b909", "value": "Potential System Information Discovery Via Wmic.EXE" }, - { - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_appvlp.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml" - ], - "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", - "value": "Using AppVLP To Circumvent ASR File Path Rule" - }, { "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { @@ -68394,9 +68593,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -68429,8 +68628,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -68513,10 +68712,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -68550,10 +68749,10 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://github.com/ohpe/juicy-potato", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://www.localpotato.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], @@ -68695,11 +68894,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -68754,6 +68953,40 @@ "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "value": "PktMon.EXE Execution" }, + { + "description": "Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\nAdversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Msxsl is not installed by default and is deprecated, so unlikely on most systems." + ], + "filename": "proc_creation_win_msxsl_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ] + }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0", + "value": "Msxsl.EXE Execution" + }, { "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", "meta": { @@ -68809,9 +69042,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -68878,6 +69111,39 @@ "uuid": "37e8d358-6408-4853-82f4-98333fca7014", "value": "Remote Access Tool - NetSupport Execution From Unusual Location" }, + { + "description": "Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_installutil_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_installutil_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", + "value": "File Download Via InstallUtil.EXE" + }, { "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", "meta": { @@ -68891,11 +69157,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -68936,7 +69202,7 @@ { "description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.", "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2019/02/11", "falsepositive": [ "Unknown" @@ -68946,8 +69212,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -69038,9 +69305,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -69106,8 +69373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Hackplayers/evil-winrm", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/Hackplayers/evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -69140,8 +69407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -69175,8 +69442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -69266,8 +69533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -69303,8 +69570,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -69371,9 +69638,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -69406,8 +69673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], @@ -69508,8 +69775,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -69542,8 +69809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" ], "tags": [ @@ -69576,8 +69843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ @@ -69737,8 +70004,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -69854,8 +70121,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -69963,8 +70230,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -69997,8 +70264,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ @@ -70149,8 +70416,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ @@ -70183,10 +70450,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -70219,8 +70486,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/netsh.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://ss64.com/nt/netsh.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -70253,8 +70520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": [ @@ -70394,9 +70661,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -70429,9 +70696,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/sensepost/ruler", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -70472,11 +70739,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -70510,8 +70777,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021415852335105", "https://twitter.com/nas_bench/status/1618021838407495681", + "https://twitter.com/nas_bench/status/1618021415852335105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -70538,7 +70805,7 @@ } ], "uuid": "5a3164f2-b373-4152-93cf-090b13c12d27", - "value": "VsCode Child Process Anomaly" + "value": "Potentially Suspicious Child Process Of VsCode" }, { "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", @@ -70586,8 +70853,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -70698,9 +70965,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], @@ -70795,6 +71062,31 @@ "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", "value": "PUA - Advanced Port Scanner Execution" }, + { + "description": "Detects file downloads directly from IP address URL using curl.exe", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_curl_download_direct_ip_exec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "9cc85849-3b02-4cb5-b371-3a1ff54f2218", + "value": "File Download From IP URL Via Curl.EXE" + }, { "description": "Detects attackers attempting to disable Windows Defender using Powershell", "meta": { @@ -70809,8 +71101,8 @@ "logsource.product": "windows", "refs": [ "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -70876,9 +71168,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -70943,9 +71235,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -71088,9 +71380,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], "tags": [ @@ -71166,8 +71458,8 @@ "logsource.product": "windows", "refs": [ "https://www.revshells.com/", - "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -71200,10 +71492,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], @@ -71237,8 +71529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ @@ -71271,8 +71563,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -71305,8 +71597,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], @@ -71406,8 +71698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -71529,7 +71821,7 @@ { "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2022/08/03", "falsepositive": [ "Unknown" @@ -71539,8 +71831,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -71548,10 +71841,10 @@ ] }, "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", - "value": "Obfuscated IP Download" + "value": "Obfuscated IP Download Activity" }, { - "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.", "meta": { "author": "frack113", "creation_date": "2022/02/13", @@ -71667,7 +71960,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/05/16", "falsepositive": [ - "Unlikely in production environement" + "Unlikely in production environment" ], "filename": "proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml", "level": "high", @@ -71756,6 +72049,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml" ], @@ -71781,9 +72075,9 @@ "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -71885,6 +72179,39 @@ "uuid": "e8a95b5e-c891-46e2-b33a-93937d3abc31", "value": "Suspicious HH.EXE Execution" }, + { + "description": "Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands\n", + "meta": { + "author": "Cian Heasley, Florian Roth (Nextron Systems)", + "creation_date": "2020/07/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_tool_recon.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", + "value": "Webshell Tool Reconnaissance Activity" + }, { "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", "meta": { @@ -71898,8 +72225,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", + "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -71924,11 +72251,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -72109,8 +72436,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -72190,8 +72517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -72240,8 +72567,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -72309,8 +72636,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-april-2022/", - "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -72330,6 +72657,64 @@ "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "value": "Potentially Suspicious Child Process Of Regsvr32" }, + { + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "meta": { + "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "creation_date": "2017/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_recon_commands_and_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ] + }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", + "value": "Webshell Detection With Command Line Keywords" + }, { "description": "Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.", "meta": { @@ -72343,9 +72728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", + "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -72524,39 +72909,6 @@ "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "value": "Interactive AT Job" }, - { - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", - "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" - }, { "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "meta": { @@ -72570,11 +72922,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -72617,10 +72969,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -72729,8 +73081,8 @@ "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -72818,6 +73170,39 @@ "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "value": "PowerShell Download and Execution Cradles" }, + { + "description": "Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", + "value": "Arbitrary File Download Via GfxDownloadWrapper.EXE" + }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { @@ -72865,8 +73250,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -72932,9 +73317,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", - "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", + "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -73025,8 +73410,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -73049,8 +73434,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -73111,6 +73496,40 @@ "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "value": "Process Creation Using Sysnative Folder" }, + { + "description": "Detects usage of \"msedge_proxy.exe\" to download arbitrary files", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2023/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msedge_proxy_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e84d89c4-f544-41ca-a6af-4b92fd38b023", + "value": "Arbitrary File Download Via MSEDGE_PROXY.EXE" + }, { "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.", "meta": { @@ -73192,8 +73611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -73268,8 +73687,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -73404,8 +73823,8 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], @@ -73532,8 +73951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -73619,9 +74038,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -73820,8 +74239,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -73854,8 +74273,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], @@ -73876,6 +74295,41 @@ "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "value": "Copy From VolumeShadowCopy Via Cmd.EXE" }, + { + "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.\n", + "meta": { + "author": "Aaron Stratton", + "creation_date": "2023/11/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_excel_dcom_lateral_movement.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", + "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", + "https://github.com/grayhatkiller/SharpExShell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" + ], + "tags": [ + "attack.t1021.003", + "attack.lateral_movement" + ] + }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "551d9c1f-816c-445b-a7a6-7a3864720d60", + "value": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" + }, { "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "meta": { @@ -73889,9 +74343,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -73924,8 +74378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -73958,8 +74412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -73992,9 +74446,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://www.exploit-db.com/exploits/37525", - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -74146,8 +74600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -74157,6 +74611,47 @@ "uuid": "56454143-524f-49fb-b1c6-3fb8b1ad41fb", "value": "Suspicious File Download From File Sharing Domain Via Curl.EXE" }, + { + "description": "Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation\n", + "meta": { + "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Particular web applications may spawn a shell process legitimately" + ], + "filename": "proc_creation_win_webshell_susp_process_spawned_from_webserver.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", + "value": "Suspicious Process By Web Server Process" + }, { "description": "Detects the Installation of a Exchange Transport Agent", "meta": { @@ -74311,8 +74806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -74389,11 +74884,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -74468,11 +74963,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -74505,9 +75000,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -74650,9 +75145,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -74910,8 +75405,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -74978,9 +75473,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -75032,7 +75527,7 @@ "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" }, { - "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.", + "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", "meta": { "author": "Muhammad Faisal", "creation_date": "2023/08/02", @@ -75044,9 +75539,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -75389,8 +75884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -75456,23 +75951,23 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/samratashok/nishang", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/besimorhino/powercat", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://adsecurity.org/?p=2921", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], @@ -75631,9 +76126,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -75793,8 +76288,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" ], "tags": [ @@ -75827,8 +76322,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -75849,6 +76344,41 @@ "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "value": "Renamed Whoami Execution" }, + { + "description": "Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/25", + "falsepositive": [ + "Legitimate use of Visual Studio Code tunnel and running code from there" + ], + "filename": "proc_creation_win_vscode_tunnel_remote_shell_.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f4a623c2-4ef5-4c33-b811-0642f702c9f1", + "value": "Visual Studio Code Tunnel Shell Execution" + }, { "description": "Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.", "meta": { @@ -76002,8 +76532,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], @@ -76024,6 +76554,31 @@ "uuid": "867356ee-9352-41c9-a8f2-1be690d78216", "value": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, + { + "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_curl_download_direct_ip_susp_extensions.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "5cb299fc-5fb1-4d07-b989-0644c68b6043", + "value": "Suspicious File Download From IP Via Curl.EXE" + }, { "description": "Detects the use of SharpUp, a tool for local privilege escalation", "meta": { @@ -76178,8 +76733,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -76488,9 +77043,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -76543,7 +77098,7 @@ "value": "Fake Instance Of Hxtsr.exe" }, { - "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "description": "Detects port forwarding activity via SSH.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/12", @@ -76551,7 +77106,7 @@ "Administrative activity using a remote port forwarding to a local port" ], "filename": "proc_creation_win_ssh_port_forward.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -76590,7 +77145,7 @@ } ], "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", - "value": "Port Forwarding Attempt Via SSH" + "value": "Port Forwarding Activity Via SSH.EXE" }, { "description": "Detects usage of Gpg4win to encrypt files", @@ -76605,9 +77160,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.gpg4win.de/documentation.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.gpg4win.de/documentation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -76630,10 +77185,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -76666,8 +77221,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -76700,8 +77255,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" ], "tags": [ @@ -76861,8 +77416,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -76882,6 +77437,39 @@ "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", "value": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, + { + "description": "Detects execution of the IEExec utility to download and execute files", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ieexec_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ieexec_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "value": "File Download And Execution Via IEExec.EXE" + }, { "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", "meta": { @@ -76895,11 +77483,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -76979,11 +77567,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ @@ -77078,7 +77666,7 @@ "value": "Net.exe Execution" }, { - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", @@ -77090,9 +77678,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -77125,9 +77713,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -77226,8 +77814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -77250,8 +77838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml" ], "tags": [ @@ -77284,9 +77872,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -77443,10 +78031,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -77754,8 +78342,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -77921,13 +78509,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/zcgonvh/NTDSDumpEx", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -78086,6 +78674,40 @@ "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download Pattern" }, + { + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msohtmed_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "value": "Arbitrary File Download Via MSOHTMED.EXE" + }, { "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", "meta": { @@ -78099,9 +78721,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://twitter.com/M_haggis/status/1699056847154725107", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], @@ -78247,6 +78869,65 @@ "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, + { + "description": "Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.\n", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "587254ee-a24b-4335-b3cd-065c0f1f4baa", + "value": "Remote File Download Via Findstr.EXE" + }, { "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "meta": { @@ -78380,6 +79061,42 @@ "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "value": "Disabled IE Security Features" }, + { + "description": "Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2022/06/09", + "falsepositive": [ + "Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)" + ], + "filename": "proc_creation_win_squirrel_proxy_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "value": "Process Proxy Execution Via Squirrel.EXE" + }, { "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", "meta": { @@ -78393,8 +79110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml" ], "tags": [ @@ -78419,8 +79136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -78519,8 +79236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], @@ -78554,9 +79271,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -78743,8 +79460,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -78787,8 +79504,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -78866,7 +79583,7 @@ "value": "PowerShell Script Change Permission Via Set-Acl" }, { - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process", "meta": { "author": "Markus Neis", "creation_date": "2018/06/07", @@ -78944,8 +79661,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", + "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -79188,8 +79905,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -79336,8 +80053,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -79449,8 +80166,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://www.echotrail.io/insights/search/msbuild.exe", + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -79460,39 +80177,6 @@ "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "value": "Suspicious Msbuild Execution By Uncommon Parent Process" }, - { - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/02/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_calc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ItsReallyNick/status/1094080242686312448", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_calc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "value": "Suspicious Calculator Usage" - }, { "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", "meta": { @@ -79508,8 +80192,8 @@ "logsource.product": "windows", "refs": [ "https://ss64.com/bash/rar.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -79529,6 +80213,48 @@ "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", "value": "Rar Usage with Password and Compression Level" }, + { + "description": "Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitimate usage of the utility by administrators to query the event log" + ], + "filename": "proc_creation_win_susp_eventlog_content_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1552" + ] + }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "value": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" + }, { "description": "Detects the execution of a renamed office binary", "meta": { @@ -79589,9 +80315,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -79822,40 +80548,6 @@ "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "value": "Renamed ProcDump Execution" }, - { - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/07/01", - "falsepositive": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" - ], - "filename": "proc_creation_win_lolbin_presentationhost.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", - "value": "Application Whitelisting Bypass via PresentationHost.exe" - }, { "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", "meta": { @@ -79902,8 +80594,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -80033,7 +80725,7 @@ "value": "Renamed CURL.EXE Execution" }, { - "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "description": "Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", "meta": { "author": "frack113", "creation_date": "2023/01/13", @@ -80045,8 +80737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -80146,8 +80838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -80271,9 +80963,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -80306,8 +80998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/felixw3000/status/853354851128025088", "https://twitter.com/rikvduijn/status/853251879320662017", + "https://twitter.com/felixw3000/status/853354851128025088", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -80340,8 +81032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -80374,8 +81066,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], @@ -80420,41 +81112,6 @@ "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", "value": "Antivirus Password Dumper Detection" }, - { - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "meta": { - "author": "Sittikorn S, Nuttakorn T, Tim Shelton", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unlikely, or pending PSP analysis" - ], - "filename": "av_printernightmare_cve_2021_34527.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "related": [ - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", - "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" - }, { "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", "meta": { @@ -80501,10 +81158,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -80546,8 +81203,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -80581,15 +81238,15 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -80622,12 +81279,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -80704,9 +81361,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/fastpassphishingdetection", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -80739,9 +81396,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -80762,8 +81419,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -80796,8 +81453,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -80830,8 +81487,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -80864,8 +81521,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -80898,8 +81555,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -80922,8 +81579,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -80946,8 +81603,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -80970,8 +81627,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -80994,8 +81651,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -81018,8 +81675,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -81039,6 +81696,29 @@ "uuid": "413d4a81-6c98-4479-9863-014785fd579c", "value": "Okta Admin Role Assigned to an User or Group" }, + { + "description": "Detects new user account creation", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/10/25", + "falsepositive": [ + "Legitimate and authorized user creation" + ], + "filename": "okta_user_created.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_created.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "b6c718dd-8f53-4b9f-98d8-93fdca966969", + "value": "New Okta User Created" + }, { "description": "Detects when an application is modified or deleted.", "meta": { @@ -81052,8 +81732,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -81076,9 +81756,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", - "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://developer.okta.com/docs/reference/api/system-log/", + "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -81098,6 +81778,31 @@ "uuid": "91b76b84-8589-47aa-9605-c837583b82a9", "value": "Potential Okta Password in AlternateID Field" }, + { + "description": "Detects access to Okta admin functions through proxy.", + "meta": { + "author": "Muhammad Faisal @faisalusuf", + "creation_date": "2023/10/25", + "falsepositive": [ + "False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary" + ], + "filename": "okta_admin_activity_from_proxy_query.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", + "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", + "https://dataconomy.com/2023/10/23/okta-data-breach/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "9058ca8b-f397-4fd1-a9fa-2b7aad4d6309", + "value": "Okta Admin Functions Access Through Proxy" + }, { "description": "Detects when an Network Zone is Deactivated or Deleted.", "meta": { @@ -81111,8 +81816,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -81135,8 +81840,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -81159,8 +81864,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -81197,8 +81902,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -81221,8 +81926,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -81288,8 +81993,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" ], "tags": [ @@ -81322,11 +82027,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://o365blog.com/post/aadbackdoor/", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://o365blog.com/post/aadbackdoor/", + "https://www.sygnia.co/golden-saml-advisory", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -81968,9 +82673,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -82063,8 +82768,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -82194,11 +82899,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/elastic/detection-rules/pull/1267", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -82299,8 +83004,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -82476,8 +83181,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -82535,8 +83240,8 @@ "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -82559,9 +83264,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -82584,8 +83289,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -82723,12 +83428,12 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -83006,8 +83711,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1214", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/elastic/detection-rules/pull/1214", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -83377,9 +84082,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -83485,9 +84190,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", - "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -83571,9 +84276,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -83705,9 +84410,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -83765,8 +84470,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -83924,6 +84629,39 @@ "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "value": "AWS ElastiCache Security Group Created" }, + { + "description": "Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.", + "meta": { + "author": "Sean Johnstone | Unit 42", + "creation_date": "2023/10/28", + "falsepositive": [ + "AWS administrator legitimately disabling bucket versioning" + ], + "filename": "aws_disable_bucket_versioning.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a136ac98-b2bc-4189-a14d-f0d0388e57a7", + "value": "AWS S3 Bucket Versioning Disable" + }, { "description": "Identifies an event where there are there are too many accounts assigned the Global Administrator role.", "meta": { @@ -84163,7 +84901,7 @@ "value": "Stale Accounts In A Privileged Role" }, { - "description": "Alert on when legecy authentication has been used on an account", + "description": "Alert on when legacy authentication has been used on an account", "meta": { "author": "Yochana Henderson, '@Yochana-H'", "creation_date": "2022/06/17", @@ -85082,8 +85820,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" ], "tags": [ @@ -85116,8 +85854,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ @@ -85184,8 +85922,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml" ], "tags": [ @@ -85214,7 +85952,7 @@ "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023/09/03", "falsepositive": [ - "A legitmate forwarding rule." + "A legitimate forwarding rule." ], "filename": "azure_identity_protection_inbox_forwarding_rule.yml", "level": "high", @@ -85326,8 +86064,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -85360,8 +86098,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ @@ -85431,8 +86169,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ @@ -85465,8 +86203,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -85533,8 +86271,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ @@ -85567,9 +86305,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -85605,8 +86343,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -85635,15 +86373,15 @@ "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023/09/03", "falsepositive": [ - "Conneting to a VPN, performing activity and then dropping and performing addtional activity." + "Connecting to a VPN, performing activity and then dropping and performing additional activity." ], "filename": "azure_identity_protection_impossible_travel.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -85716,8 +86454,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" ], "tags": [ @@ -85771,7 +86509,7 @@ "value": "End User Consent" }, { - "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", + "description": "Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022/07/19", @@ -87320,11 +88058,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -87695,11 +88433,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -87723,11 +88461,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -87819,11 +88557,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -87931,10 +88669,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -87970,11 +88708,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -88216,11 +88954,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -88245,11 +88983,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -88282,8 +89020,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -88392,8 +89130,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -88462,11 +89200,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/payloadbox/sql-injection-payload-list", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", - "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -88486,6 +89224,41 @@ "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", "value": "SQL Injection Strings In URI" }, + { + "description": "Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo", + "creation_date": "2023/11/08", + "falsepositive": [ + "Legitimate usage of the BIG IP REST API to execute command for administration purposes" + ], + "filename": "web_f5_tm_utility_bash_api_request.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" + ], + "tags": [ + "attack.execution", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "85254a62-22be-4239-b79c-2ec17e566c37", + "value": "F5 BIG-IP iControl Rest API Command Execution - Webserver" + }, { "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", "meta": { @@ -88499,8 +89272,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -88534,10 +89307,10 @@ "logsource.product": "No established product", "refs": [ "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -88609,8 +89382,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/file-inclusion", "https://github.com/projectdiscovery/nuclei-templates", + "https://book.hacktricks.xyz/pentesting-web/file-inclusion", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" ], "tags": [ @@ -88643,9 +89416,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -88678,8 +89451,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/sensepost/reGeorg", + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -88712,9 +89485,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -88782,8 +89555,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/payloadbox/ssti-payloads", + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": [ @@ -88917,8 +89690,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -89030,9 +89803,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -89242,9 +90015,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -89335,14 +90108,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://perishablepress.com/blacklist/ua-2013.txt", "https://twitter.com/crep1x/status/1635034100213112833", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://perishablepress.com/blacklist/ua-2013.txt", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -89453,8 +90226,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -89487,8 +90260,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -89642,6 +90415,41 @@ "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", "value": "iOS Implant URL Pattern" }, + { + "description": "Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo", + "creation_date": "2023/11/08", + "falsepositive": [ + "Legitimate usage of the BIG IP REST API to execute command for administration purposes" + ], + "filename": "proxy_f5_tm_utility_bash_api_request.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b59c98c6-95e8-4d65-93ee-f594dfb96b17", + "value": "F5 BIG-IP iControl Rest API Command Execution - Proxy" + }, { "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", "meta": { @@ -89739,8 +90547,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -89806,10 +90614,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -90441,8 +91249,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://objective-see.org/blog/blog_0x4B.html", "https://redcanary.com/blog/applescript/", + "https://objective-see.org/blog/blog_0x4B.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -90559,8 +91367,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -90668,8 +91476,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -90769,8 +91577,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://ss64.com/osx/dsenableroot.html", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -90853,8 +91661,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -90904,9 +91712,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", - "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -91014,8 +91822,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -91132,8 +91940,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -91332,8 +92140,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -91389,9 +92197,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -91811,8 +92619,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -91904,8 +92712,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -92130,9 +92938,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", - "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -92189,10 +92997,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -92257,8 +93065,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -92571,7 +93379,7 @@ "value": "Binary Padding - Linux" }, { - "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "description": "Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "meta": { "author": "Pawel Mazur", "creation_date": "2021/09/11", @@ -92672,8 +93480,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xclip", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://linux.die.net/man/1/xclip", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -92740,8 +93548,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/insmod", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -92809,9 +93617,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://objective-see.org/blog/blog_0x68.html", "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://objective-see.org/blog/blog_0x68.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -92844,9 +93652,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://linux.die.net/man/1/import", "https://imagemagick.org/", + "https://linux.die.net/man/1/import", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -92946,10 +93754,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://mn3m.info/posts/suid-vs-capabilities/", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -93024,8 +93832,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://blog.aquasec.com/container-security-tnt-container-attack", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -93058,8 +93866,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -93092,8 +93900,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -93324,8 +94132,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/wget/", "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -93701,9 +94509,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://linux.die.net/man/1/chage", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -93804,8 +94612,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://linux.die.net/man/8/pam_tty_audit", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], @@ -93913,9 +94721,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -93948,9 +94756,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -94296,8 +95104,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -94420,10 +95228,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -94688,8 +95496,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -94722,9 +95530,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -94867,8 +95675,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -94904,8 +95712,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -95018,8 +95826,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -95186,9 +95994,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -95265,8 +96073,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -95379,9 +96187,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -95416,8 +96224,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -95517,8 +96325,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -95617,9 +96425,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxhint.com/uninstall-debian-packages/", - "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://sysdig.com/blog/mitre-defense-evasion-falco", + "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://linuxhint.com/uninstall-debian-packages/", "https://linuxhint.com/uninstall_yum_package/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], @@ -95715,6 +96523,48 @@ "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", "value": "Linux Recon Indicators" }, + { + "description": "Detects known hacktool execution based on image name.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])", + "creation_date": "2023/01/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_susp_hktl_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/pathtofile/bad-bpf", + "https://github.com/Gui774ume/ebpfkit", + "https://github.com/1N3/Sn1per", + "https://github.com/Pennyw0rth/NetExec/", + "https://github.com/t3l3machus/hoaxshell", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/HavocFramework/Havoc", + "https://github.com/t3l3machus/Villain", + "https://github.com/Ne0nd0g/merlin", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.resource_development", + "attack.t1587" + ] + }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a015e032-146d-4717-8944-7a1884122111", + "value": "Linux HackTool Execution" + }, { "description": "Detects chmod targeting files in abnormal directory paths.", "meta": { @@ -95728,8 +96578,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -95795,9 +96645,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -95830,8 +96680,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -95897,8 +96747,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -95931,11 +96781,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -95976,8 +96826,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -96000,8 +96850,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -96034,10 +96884,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/userdel", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/userdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -96090,6 +96940,41 @@ "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", "value": "System Information Discovery" }, + { + "description": "Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.", + "meta": { + "author": "Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_network_utilities_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/Tib3rius/AutoRecon", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/projectdiscovery/naabu", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", + "value": "Linux Network Service Scanning Tools Execution" + }, { "description": "Detects command line parameters or strings often used by crypto miners", "meta": { @@ -96136,8 +97021,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -96203,8 +97088,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -96328,10 +97213,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -96356,8 +97241,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -96481,8 +97366,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ @@ -96505,8 +97390,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -96572,8 +97457,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -96608,8 +97493,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -96642,8 +97527,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -96676,8 +97561,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -96700,8 +97585,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -96752,8 +97637,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/arget13/DDexec", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ @@ -96819,10 +97704,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/groupdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -96855,8 +97740,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -96889,9 +97774,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", - "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -96991,8 +97876,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -97054,39 +97939,6 @@ "uuid": "31545105-3444-4584-bebf-c466353230d2", "value": "Touch Suspicious Service File" }, - { - "description": "Detects enumeration of local or remote network services.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/21", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_network_service_scanning.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ] - }, - "related": [ - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", - "value": "Linux Network Service Scanning" - }, { "description": "Detects changes to the ESXi syslog configuration via \"esxcli\"", "meta": { @@ -97142,9 +97994,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", - "https://linux.die.net/man/1/bash", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://linux.die.net/man/1/bash", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -97224,10 +98076,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -97407,7 +98259,7 @@ "value": "Suspicious Java Children Processes" }, { - "description": "Detects listing of the inodes of the \"/\" directory to determin if the we are running inside of a container.", + "description": "Detects listing of the inodes of the \"/\" directory to determine if the we are running inside of a container.", "meta": { "author": "Seth Hanford", "creation_date": "2023/08/23", @@ -97553,8 +98405,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -97606,10 +98458,10 @@ "logsource.product": "linux", "refs": [ "https://www.revshells.com/", - "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", - "https://man7.org/linux/man-pages/man1/ncat.1.html", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.infosecademy.com/netcat-reverse-shells/", + "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -97642,9 +98494,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.computerhope.com/unix/unohup.htm", "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", - "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -97733,8 +98585,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -97791,8 +98643,8 @@ "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -97820,32 +98672,6 @@ "uuid": "d54c2f06-aca9-4e2b-81c9-5317858f4b79", "value": "ESXi VSAN Information Discovery Via ESXCLI" }, - { - "description": "Detects known hacktool execution based on image name", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/01/03", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_lnx_hack_tools.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/pathtofile/bad-bpf", - "https://github.com/Gui774ume/ebpfkit", - "Internal Research", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "a015e032-146d-4717-8944-7a1884122111", - "value": "Linux HackTool Execution" - }, { "description": "Detects listing or file reading of \".dockerenv\" which can be a sing of potential container discovery", "meta": { @@ -97927,9 +98753,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -97974,7 +98800,7 @@ "value": "File Deletion" }, { - "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.", + "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", "meta": { "author": "Muhammad Faisal", "creation_date": "2023/08/03", @@ -97986,9 +98812,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -98080,8 +98906,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], @@ -98117,8 +98943,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -98151,8 +98977,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -98185,8 +99011,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -98320,8 +99146,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -98356,8 +99182,8 @@ "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -98392,8 +99218,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -98538,5 +99364,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20231017 + "version": 20231121 }