Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: new rules, updates and fp fixes (#4162)
- Loading branch information
Showing
28 changed files
with
278 additions
and
188 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
...nt/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
title: Potential CVE-2023-23397 Exploitation Attempt - SMB | ||
id: de96b824-02b0-4241-9356-7e9b47f04bac | ||
status: experimental | ||
description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. | ||
references: | ||
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/04/05 | ||
tags: | ||
- attack.exfiltration | ||
- cve.2023.23397 | ||
logsource: | ||
product: windows | ||
service: smbclient-connectivity | ||
detection: | ||
selection: | ||
# Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names" | ||
EventID: | ||
#- 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field) | ||
- 30803 # Failed to establish a network connection. | ||
- 30804 # A network connection was disconnected. | ||
- 30806 # The client re-established its session to the server. | ||
#- 31001 # Error (Doesn't contain the "ServerAddress" field) | ||
filter_main_local_ips: | ||
ServerAddress|startswith: | ||
- '10.' #10.0.0.0/8 | ||
- '192.168.' #192.168.0.0/16 | ||
- '172.16.' #172.16.0.0/12 | ||
- '172.17.' | ||
- '172.18.' | ||
- '172.19.' | ||
- '172.20.' | ||
- '172.21.' | ||
- '172.22.' | ||
- '172.23.' | ||
- '172.24.' | ||
- '172.25.' | ||
- '172.26.' | ||
- '172.27.' | ||
- '172.28.' | ||
- '172.29.' | ||
- '172.30.' | ||
- '172.31.' | ||
- '127.' #127.0.0.0/8 | ||
- '169.254.' #169.254.0.0/16 | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- Some false positives may occur from external trusted servers. Apply additional filters accordingly | ||
level: medium |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 20 additions & 21 deletions
41
rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,44 +1,43 @@ | ||
title: Windows Shell File Write to Suspicious Folder | ||
title: Windows Shell/Scripting Application File Write to Suspicious Folder | ||
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 | ||
status: experimental | ||
description: Detects a Windows executable that writes files to suspicious folders | ||
description: Detects Windows shells and scripting applications that write files to suspicious folders | ||
references: | ||
- Internal Research | ||
author: Florian Roth (Nextron Systems) | ||
date: 2021/11/20 | ||
modified: 2023/01/05 | ||
modified: 2023/03/29 | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
selection_shells: | ||
selection_1: | ||
Image|endswith: | ||
- '\bash.exe' | ||
- '\cmd.exe' | ||
- '\cscript.exe' | ||
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml | ||
- '\powershell.exe' | ||
- '\pwsh.exe' | ||
- '\wscript.exe' | ||
- '\cscript.exe' | ||
- '\sh.exe' | ||
- '\bash.exe' | ||
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml | ||
- '\wscript.exe' | ||
TargetFilename|startswith: | ||
- 'C:\Users\Public' | ||
- 'C:\PerfLogs' | ||
selection_program: | ||
- 'C:\PerfLogs\' | ||
- 'C:\Users\Public\' | ||
selection_2: | ||
Image|endswith: | ||
- '\schtasks.exe' | ||
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ | ||
- '\mshta.exe' | ||
# - '\rundll32.exe' | ||
- '\certutil.exe' | ||
- '\forfiles.exe' | ||
- '\mshta.exe' | ||
#- '\rundll32.exe' # Potential FP | ||
- '\schtasks.exe' | ||
- '\scriptrunner.exe' | ||
- '\certutil.exe' | ||
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ | ||
TargetFilename|contains: | ||
- 'C:\Users\Public' | ||
- 'C:\PerfLogs' | ||
- '\AppData\' | ||
- 'C:\Windows\Temp' | ||
condition: 1 of selection* | ||
- 'C:\PerfLogs\' | ||
- 'C:\Users\Public\' | ||
- 'C:\Windows\Temp\' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.