Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
20 changed files
with
679 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
action: global | ||
title: Operation Wocao Activity | ||
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d | ||
author: Florian Roth | ||
status: experimental | ||
description: Detects activity mentioned in Operation Wocao report | ||
references: | ||
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ | ||
- https://twitter.com/SBousseaden/status/1207671369963646976 | ||
date: 2019/12/20 | ||
falsepositives: | ||
- Administrators that use checkadmin.exe tool to enumerate local administrators | ||
level: high | ||
--- | ||
logsource: | ||
product: windows | ||
service: security | ||
detection: | ||
selection: | ||
EventID: 4799 | ||
GroupName: 'Administrators' | ||
ProcessName: '*\checkadmin.exe' | ||
condition: selection | ||
--- | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
CommandLine|contains: | ||
- 'checkadmin.exe 127.0.0.1 -all' | ||
- 'netsh advfirewall firewall add rule name=powershell dir=in' | ||
- 'cmd /c powershell.exe -ep bypass -file c:\s.ps1' | ||
- '/tn win32times /f' | ||
- 'create win32times binPath=' | ||
- '\c$\windows\system32\devmgr.dll' | ||
- ' -exec bypass -enc JgAg' | ||
- 'type *keepass\KeePass.config.xml' | ||
- 'iie.exe iie.txt' | ||
- 'reg query HKEY_CURRENT_USER\Software\*\PuTTY\Sessions\' | ||
condition: selection |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
title: Citrix Netscaler Attack CVE-2019-19781 | ||
description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack | ||
id: ac5a6409-8c89-44c2-8d64-668c29a2d756 | ||
references: | ||
- https://support.citrix.com/article/CTX267679 | ||
- https://support.citrix.com/article/CTX267027 | ||
- https://isc.sans.edu/diary/25686 | ||
author: Arnim Rupp, Florian Roth | ||
status: experimental | ||
date: 2020/01/02 | ||
modified: 2020/01/07 | ||
logsource: | ||
category: webserver | ||
description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)' | ||
detection: | ||
selection: | ||
c-uri-path: | ||
- '*/../vpns/*' | ||
- '*/vpns/cfg/smb.conf' | ||
condition: selection | ||
fields: | ||
- client_ip | ||
- vhost | ||
- url | ||
- response | ||
falsepositives: | ||
- Unknown | ||
level: critical | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: Bloodhound and Sharphound Hack Tool | ||
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 | ||
description: Detects command line parameters used by Bloodhound and Sharphound hack tools | ||
author: Florian Roth | ||
references: | ||
- https://github.com/BloodHoundAD/BloodHound | ||
- https://github.com/BloodHoundAD/SharpHound | ||
date: 2019/12/20 | ||
modified: 2019/12/21 | ||
tags: | ||
- attack.discovery | ||
- attack.t1087 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection1: | ||
Image|contains: | ||
- '\Bloodhound.exe' | ||
- '\SharpHound.exe' | ||
selection2: | ||
CommandLine|contains: | ||
- ' -CollectionMethod All ' | ||
- '.exe -c All -d ' | ||
- 'Invoke-Bloodhound' | ||
- 'Get-BloodHoundData' | ||
selection3: | ||
CommandLine|contains|all: | ||
- ' -JsonFolder ' | ||
- ' -ZipFileName ' | ||
selection4: | ||
CommandLine|contains|all: | ||
- ' DCOnly ' | ||
- ' --NoSaveCache ' | ||
condition: 1 of them | ||
falsepositives: | ||
- Other programs that use these command line option and accepts an 'All' parameter | ||
level: high | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
title: SecurityXploded Tool | ||
id: 7679d464-4f74-45e2-9e01-ac66c5eb041a | ||
description: Detects the execution of SecurityXploded Tools | ||
author: Florian Roth | ||
references: | ||
- https://securityxploded.com/ | ||
- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ | ||
date: 2018/12/19 | ||
tags: | ||
- attack.credential_access | ||
- attack.t1003 | ||
- attack.s0005 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection1: | ||
Company: SecurityXploded | ||
selection2: | ||
Image|endswith: 'PasswordDump.exe' | ||
selection3: | ||
OriginalFilename|endswith: 'PasswordDump.exe' | ||
condition: 1 of them | ||
falsepositives: | ||
- unlikely | ||
level: critical |
33 changes: 33 additions & 0 deletions
33
rules/windows/process_creation/win_hktl_createminidump.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
action: global | ||
title: CreateMiniDump Hacktool | ||
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d | ||
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine | ||
author: Florian Roth | ||
references: | ||
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass | ||
date: 2019/12/22 | ||
tags: | ||
- attack.credential_access | ||
- attack.t1003 | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
--- | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection1: | ||
Image|contains: '\CreateMiniDump.exe' | ||
selection2: | ||
Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' | ||
condition: 1 of them | ||
--- | ||
logsource: | ||
product: windows | ||
service: sysmon | ||
detection: | ||
selection: | ||
EventID: 11 | ||
TargetFileName|contains: '*\lsass.dmp' | ||
condition: 1 of them |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
title: Trickbot Malware Recon Activity | ||
id: 410ad193-a728-4107-bc79-4419789fcbf8 | ||
status: experimental | ||
description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network. | ||
references: | ||
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ | ||
author: David Burkett | ||
date: 12/28/2019 | ||
tags: | ||
- attack.t1482 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
Image: | ||
- '*\nltest.exe' | ||
CommandLine: | ||
- '/domain_trusts /all_trusts' | ||
- '/domain_trusts' | ||
condition: selection | ||
fields: | ||
- CommandLine | ||
- ParentCommandLine | ||
falsepositives: | ||
- Rare System Admin Activity | ||
level: critical |
27 changes: 27 additions & 0 deletions
27
rules/windows/process_creation/win_susp_copy_lateral_movement.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
title: Copy from Admin Share | ||
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 | ||
status: experimental | ||
description: Detects a suspicious copy command from a remote C$ or ADMIN$ share | ||
references: | ||
- https://twitter.com/SBousseaden/status/1211636381086339073 | ||
author: Florian Roth | ||
date: 2019/12/30 | ||
tags: | ||
- attack.lateral_movement | ||
- attack.t1077 | ||
- attack.t1105 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
CommandLine|contains: | ||
- 'copy *\c$' | ||
- 'copy *\ADMIN$' | ||
condition: selection | ||
fields: | ||
- CommandLine | ||
- ParentCommandLine | ||
falsepositives: | ||
- Administrative scripts | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
rules/windows/process_creation/win_susp_svchost_no_cli.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
title: Suspect svchost Activity | ||
id: 16c37b52-b141-42a5-a3ea-bbe098444397 | ||
status: experimental | ||
description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. | ||
references: | ||
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 | ||
author: David Burkett | ||
date: 12/28/2019 | ||
tags: | ||
- attack.t1055 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection1: | ||
CommandLine: null | ||
selection2: | ||
Image: '*\svchost.exe' | ||
filter: | ||
ParentImage: | ||
- '*\rpcnet.exe' | ||
- '*\rpcnetp.exe' | ||
condition: (selection1 and selection2) and not filter | ||
fields: | ||
- CommandLine | ||
- ParentCommandLine | ||
falsepositives: | ||
- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf | ||
level: critical |
22 changes: 22 additions & 0 deletions
22
rules/windows/process_creation/win_susp_whoami_localsystem.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
title: Whoami as LOCAL_SYSTEM | ||
id: 1453b1a4-261b-4daf-afe1-2a400a838b5c | ||
status: experimental | ||
description: Detects the execution of whoami as LOCAL_SYSTEM, often used after privilege escalation by attackers who want to evaluate the new user context | ||
author: Florian Roth | ||
date: 2019/12/22 | ||
tags: | ||
- attack.discovery | ||
- attack.t1033 | ||
- car.2016-03-001 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
Image|contains: '\whoami.exe' | ||
User: 'NT AUTHORITY\SYSTEM' | ||
condition: selection | ||
falsepositives: | ||
- Admin activity | ||
- Scripts and administrative tools used in the monitored environment | ||
level: critical |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.