From f925ec15485167934f35e82bb4704f4482ec9b27 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 02:03:40 +0500 Subject: [PATCH 01/10] update: added the other possible variation for '/' command --- .../proc_creation_win_esentutl_params.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml index 3f2a5aab587..7cd724bb7cb 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ author: sam0x90 date: 2021/08/06 -modified: 2022/10/09 +modified: 2024/02/27 tags: - attack.credential_access - attack.t1003 @@ -17,11 +17,13 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: - - 'esentutl' + selection_esentutl: + CommandLine|contains: 'esentutl' + selection_flags: + CommandLine|contains: - ' /p' - condition: selection + - ' -p' + condition: all of selection_* fields: - User - CommandLine From a2725afa423ddb8e515e1402abb9129524a1291f Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 02:09:48 +0500 Subject: [PATCH 02/10] update: Increase coverage by adding for the "/" option in commands flags --- .../proc_creation_win_esentutl_sensitive_file_copy.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index aa1dacdfec4..317d4322a74 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -8,7 +8,7 @@ references: - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2019/10/22 -modified: 2022/11/11 +modified: 2024/02/27 tags: - attack.credential_access - attack.t1003.002 @@ -26,7 +26,9 @@ detection: CommandLine|contains: - 'vss' - ' /m ' + - ' -m ' - ' /y ' + - ' -y ' selection_susp_paths: CommandLine|contains: - '\windows\ntds\ntds.dit' From 98e480730be674114440e1b3bcda5cfd8a2483d4 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 02:19:29 +0500 Subject: [PATCH 03/10] update --- ...c_creation_win_explorer_break_process_tree.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml index 133e0535817..bc54deee1a8 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -11,7 +11,7 @@ references: - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber date: 2019/06/29 -modified: 2022/09/20 +modified: 2024/02/27 tags: - attack.defense_evasion - attack.t1036 @@ -19,15 +19,18 @@ logsource: category: process_creation product: windows detection: - selection: + selection_factory: # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference - - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + selection_cli_1: # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. - - CommandLine|contains|all: - - 'explorer.exe' + CommandLine|contains: 'explorer.exe' + selection_cli_2: + CommandLine|contains: - ' /root,' - condition: selection + - ' -root,' + condition: selection_factory or all of selection_cli_* falsepositives: - Unknown level: medium From bf9309b9b6e1e6d0e61c338335010c1d27a546c8 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 02:28:46 +0500 Subject: [PATCH 04/10] update: Increase coverage by adding for the "/" option in commands flags --- .../process_creation/proc_creation_win_findstr_lsass.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 5941a31c969..fe52b3d5f8e 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/11/11 +modified: 2024/02/27 tags: - attack.credential_access - attack.t1552.006 @@ -26,7 +26,9 @@ detection: selection_special: CommandLine|contains: - ' /i "lsass' + - ' -i "lsass' - ' /i lsass.exe' + - ' -i lsass.exe' - 'findstr "lsass' - 'findstr lsass' - 'findstr.exe "lsass' From 149cb490172bc9e10264748fdc6008f57adf39b4 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 02:39:39 +0500 Subject: [PATCH 05/10] update: Increase coverage by adding for the "/" option in commands flags --- .../proc_creation_win_iexpress_susp_execution.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml index b90112308d6..6f5d540e74d 100644 --- a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml @@ -11,6 +11,7 @@ references: - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) date: 2024/02/05 +modified: 2024/02/27 tags: - attack.defense_evasion - attack.t1218 @@ -23,7 +24,9 @@ detection: - Image|endswith: '\iexpress.exe' - OriginalFileName: 'IEXPRESS.exe' selection_cli: - CommandLine|contains: ' /n ' + CommandLine|contains: + - ' /n ' + - ' -n ' selection_paths: CommandLine|contains: # Note: Add more uncommon paths that fit your organizational needs. From f1f321d661d07c646a1ce70f98c3f90decf3f0c2 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 02:53:52 +0500 Subject: [PATCH 06/10] update: Increase coverage by adding for the "/" option in commands flags --- .../process_creation/proc_creation_win_lolbin_unregmp2.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 77d8793a8d9..6a335967044 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -6,6 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ author: frack113 date: 2022/12/29 +modified: 2024/02/27 tags: - attack.defense_evasion - attack.t1218 @@ -17,7 +18,9 @@ detection: - Image|endswith: '\unregmp2.exe' - OriginalFileName: 'unregmp2.exe' selection_cmd: - CommandLine|contains: ' /HideWMP' + CommandLine|contains: + - ' /HideWMP' + - ' -HideWMP' condition: all of selection_* falsepositives: - Unknown From a0fa2bc5e3c95e9a421caa9079de1df62d5b3052 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 03:07:07 +0500 Subject: [PATCH 07/10] update: Increase coverage by adding for the "/" option in commands flags --- .../proc_creation_win_mstsc_remote_connection.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index 92a0f6ba0f8..e606d0c71a9 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc author: frack113 date: 2022/01/07 -modified: 2023/02/03 +modified: 2024/02/27 tags: - attack.lateral_movement - attack.t1021.001 @@ -21,7 +21,9 @@ detection: - Image|endswith: '\mstsc.exe' - OriginalFileName: 'mstsc.exe' selection_cli: - CommandLine|contains: ' /v:' + CommandLine|contains: + - ' /v:' + - ' -v:' filter_optional_wsl: # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' From 76eead63e2e5b8924e247ca626a4d58cceaf2623 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Feb 2024 03:11:36 +0500 Subject: [PATCH 08/10] update: Increase coverage by adding for the "/" option in commands flags --- .../proc_creation_win_explorer_break_process_tree.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml index bc54deee1a8..c3931f3b710 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -28,8 +28,8 @@ detection: CommandLine|contains: 'explorer.exe' selection_cli_2: CommandLine|contains: - - ' /root,' - - ' -root,' + - ' /root,' + - ' -root,' condition: selection_factory or all of selection_cli_* falsepositives: - Unknown From 214e16f9529ad135ce936b70328e1c28e1ed3ae8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 3 Mar 2024 08:34:35 +0100 Subject: [PATCH 09/10] Fix yaml error --- .../process_creation/proc_creation_win_lolbin_unregmp2.yml | 2 +- .../proc_creation_win_mstsc_remote_connection.yml | 2 +- ...eation_win_powershell_download_susp_file_sharing_domains.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 6a335967044..8764b313854 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -18,7 +18,7 @@ detection: - Image|endswith: '\unregmp2.exe' - OriginalFileName: 'unregmp2.exe' selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' /HideWMP' - ' -HideWMP' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index e606d0c71a9..35fe550c705 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -21,7 +21,7 @@ detection: - Image|endswith: '\mstsc.exe' - OriginalFileName: 'mstsc.exe' selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /v:' - ' -v:' filter_optional_wsl: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml index a433c598baf..7c3d8e69a18 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml @@ -25,7 +25,7 @@ detection: selection_websites: CommandLine|contains: # Note: You might want to baseline the github domain before including it - #- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea). + # - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea). - 'anonfiles.com' - 'cdn.discordapp.com' - 'cdn.discordapp.com/attachments/' From 95201b75581088cc2003793a1b96405cc5c9e550 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 5 Mar 2024 18:48:29 +0500 Subject: [PATCH 10/10] update: added image name for esentutl Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../process_creation/proc_creation_win_esentutl_params.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml index 7cd724bb7cb..8964c7d7a5a 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml @@ -17,8 +17,9 @@ logsource: category: process_creation product: windows detection: - selection_esentutl: - CommandLine|contains: 'esentutl' + selection_img: + - Image|endswith: '\esentutl.exe' + - OriginalFileName: 'esentutl.exe' selection_flags: CommandLine|contains: - ' /p'