From ecc2f649b9cb0b63c2c48e43e2ba4a20ac2d4afc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 20:11:59 +0000 Subject: [PATCH] Sigma Rule Update (2024-05-13 20:11:52) (#664) Co-authored-by: hach1yon --- ..._security_mal_cosmik_duke_persistence.yml} | 17 +++--- ...ation_win_apt_forest_blizzard_activity.yml | 3 +- .../posh_ps_packet_capture.yml | 37 +++++++++++++ .../proc_creation_win_attrib_hiding_files.yml | 6 +-- ..._creation_win_attrib_system_susp_paths.yml | 4 +- ...ation_win_esentutl_sensitive_file_copy.yml | 1 + ...n_win_format_uncommon_filesystem_load.yml} | 14 ++--- .../proc_creation_win_hktl_evil_winrm.yml | 4 +- .../proc_creation_win_icacls_deny.yml | 6 +-- ...on_win_keyscrambler_susp_child_process.yml | 49 +++++++++++++++++ ...ion_win_pdqdeploy_runner_susp_children.yml | 44 +++++++-------- ..._creation_win_reg_disable_sec_services.yml | 2 +- ...tion_win_schtasks_creation_temp_folder.yml | 3 -- .../proc_creation_win_schtasks_delete.yml | 10 ++-- .../proc_creation_win_schtasks_disable.yml | 10 ++-- ...on_win_vscode_tunnel_renamed_execution.yml | 2 +- ...reation_win_wbadmin_delete_all_backups.yml | 41 ++++++++++++++ ...oc_creation_win_wbadmin_delete_backups.yml | 43 +++++++++++++++ ...n_win_wbadmin_delete_systemstatebackup.yml | 39 -------------- ...ation_win_wbadmin_dump_sensitive_files.yml | 45 ++++++++++++++++ ...proc_creation_win_wbadmin_restore_file.yml | 35 ++++++++++++ ...on_win_wbadmin_restore_sensitive_files.yml | 42 +++++++++++++++ .../proc_creation_win_attrib_system.yml | 1 + ...in_schtasks_creation_from_susp_parent.yml} | 17 +++--- ...ation_win_apt_forest_blizzard_activity.yml | 3 +- ...ile_event_win_susp_executable_creation.yml | 8 +-- .../image_load_side_load_keyscrambler.yml | 2 + .../proc_creation_win_attrib_hiding_files.yml | 6 +-- ..._creation_win_attrib_system_susp_paths.yml | 4 +- ...ation_win_esentutl_sensitive_file_copy.yml | 1 + ...n_win_format_uncommon_filesystem_load.yml} | 14 ++--- .../proc_creation_win_hktl_evil_winrm.yml | 4 +- .../proc_creation_win_icacls_deny.yml | 6 +-- ...on_win_keyscrambler_susp_child_process.yml | 54 +++++++++++++++++++ ...ion_win_pdqdeploy_runner_susp_children.yml | 44 +++++++-------- ..._creation_win_reg_disable_sec_services.yml | 2 +- ...tion_win_schtasks_creation_temp_folder.yml | 3 -- .../proc_creation_win_schtasks_delete.yml | 10 ++-- .../proc_creation_win_schtasks_disable.yml | 10 ++-- ...on_win_vscode_tunnel_renamed_execution.yml | 2 +- ...reation_win_wbadmin_delete_all_backups.yml | 46 ++++++++++++++++ ...oc_creation_win_wbadmin_delete_backups.yml | 48 +++++++++++++++++ ...n_win_wbadmin_delete_systemstatebackup.yml | 39 -------------- ...ation_win_wbadmin_dump_sensitive_files.yml | 45 ++++++++++++++++ ...proc_creation_win_wbadmin_restore_file.yml | 40 ++++++++++++++ ...on_win_wbadmin_restore_sensitive_files.yml | 47 ++++++++++++++++ .../proc_creation_win_attrib_system.yml | 1 + ...in_schtasks_creation_from_susp_parent.yml} | 19 ++++--- 48 files changed, 723 insertions(+), 210 deletions(-) rename sigma/builtin/{security/win_security_mal_service_installs.yml => emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml} (61%) create mode 100644 sigma/builtin/powershell/powershell_script/posh_ps_packet_capture.yml rename sigma/builtin/process_creation/{proc_creation_win_lolbin_format.yml => proc_creation_win_format_uncommon_filesystem_load.yml} (72%) create mode 100644 sigma/builtin/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_backups.yml delete mode 100644 sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_file.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml rename sigma/builtin/{ => threat-hunting}/process_creation/proc_creation_win_attrib_system.yml (97%) rename sigma/builtin/{process_creation/proc_creation_win_schtasks_parent.yml => threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml} (69%) rename sigma/sysmon/process_creation/{proc_creation_win_lolbin_format.yml => proc_creation_win_format_uncommon_filesystem_load.yml} (73%) create mode 100644 sigma/sysmon/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_backups.yml delete mode 100644 sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_file.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml rename sigma/sysmon/{ => threat-hunting}/process_creation/proc_creation_win_attrib_system.yml (97%) rename sigma/sysmon/{process_creation/proc_creation_win_schtasks_parent.yml => threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml} (69%) diff --git a/sigma/builtin/security/win_security_mal_service_installs.yml b/sigma/builtin/emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml similarity index 61% rename from sigma/builtin/security/win_security_mal_service_installs.yml rename to sigma/builtin/emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml index 5164ed165..c7ce9b549 100644 --- a/sigma/builtin/security/win_security_mal_service_installs.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml @@ -1,4 +1,4 @@ -title: Malicious Service Installations +title: CosmicDuke Service Installation id: 8428d90d-a928-f70a-c46e-f08457d6b01f related: - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a @@ -6,21 +6,19 @@ related: - id: cb062102-587e-4414-8efa-dbe3c7bf19c6 type: derived status: test -description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. +description: | + Detects the installation of a service named "javamtsup" on the system. + The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence. references: - - https://awakesecurity.com/blog/threat-hunting-for-paexec/ - - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2022/10/09 tags: - attack.persistence - - attack.privilege_escalation - - attack.t1003 - - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 + - detection.emerging_threats logsource: product: windows service: security @@ -30,10 +28,9 @@ detection: Channel: Security selection: EventID: 4697 - malsvc_apt29: ServiceName: javamtsup - condition: security and (selection and 1 of malsvc_*) + condition: security and selection falsepositives: - - Unknown + - Unlikely level: critical ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/sigma/builtin/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index c559aa65c..845e6ab4c 100644 --- a/sigma/builtin/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/sigma/builtin/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -11,6 +11,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024/04/23 +modified: 2024/05/11 tags: - attack.defense_evasion - attack.execution @@ -44,7 +45,7 @@ detection: - \Microsoft\Windows\WinSrv NewProcessName|endswith: \schtasks.exe selection_powershell: - CommandLine|contains: + CommandLine|contains|all: - Get-ChildItem - .save - Compress-Archive -DestinationPath C:\ProgramData\ diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_packet_capture.yml b/sigma/builtin/powershell/powershell_script/posh_ps_packet_capture.yml new file mode 100644 index 000000000..035fd5ac6 --- /dev/null +++ b/sigma/builtin/powershell/powershell_script/posh_ps_packet_capture.yml @@ -0,0 +1,37 @@ +title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock +id: 0357e3d7-f8fe-0601-0902-364f4cdbed81 +related: + - id: da34e323-1e65-42db-83be-a6725ac2caa3 + type: derived +status: experimental +description: | + Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. + Adversaries may attempt to capture network to gather information over the course of an operation. + Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing + - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md + - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +author: frack113 +date: 2024/05/12 +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: Start-NetEventSession + condition: ps_script and selection +falsepositives: + - Legitimate network diagnostic scripts. +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml b/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml index 766a159db..7c910e471 100644 --- a/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -27,13 +27,13 @@ detection: - OriginalFileName: ATTRIB.EXE selection_cli: CommandLine|contains: ' +h ' - filter_msiexec: + filter_main_msiexec: CommandLine|contains: '\desktop.ini ' - filter_intel: + filter_optional_intel: CommandLine: +R +H +S +A \\\*.cui ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat ParentProcessName|endswith: \cmd.exe - condition: process_creation and (all of selection_* and not 1 of filter_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - Msiexec.exe hiding desktop.ini diff --git a/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 94aafb0fc..85caf696d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -43,11 +43,11 @@ detection: - .ps1 - .vbe - .vbs - filter: + filter_optional_installer: CommandLine|contains|all: - \Windows\TEMP\ - .exe - condition: process_creation and (all of selection* and not filter) + condition: process_creation and (all of selection* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index 3dd62c5bb..21d053a6f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -9,6 +9,7 @@ references: - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ + - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2019/10/22 modified: 2022/11/11 diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml b/sigma/builtin/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml similarity index 72% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml rename to sigma/builtin/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml index 1644b6221..f673cbdf8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml +++ b/sigma/builtin/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml @@ -1,15 +1,17 @@ -title: Format.com FileSystem LOLBIN +title: Uncommon FileSystem Load Attempt By Format.com id: de9e4f46-8404-a8bb-7f5a-78bc21b25a9e related: - id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 type: derived status: test -description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs +description: | + Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 author: Florian Roth (Nextron Systems) date: 2022/01/04 +modified: 2024/05/13 tags: - attack.defense_evasion - sysmon @@ -23,14 +25,14 @@ detection: selection: CommandLine|contains: '/fs:' NewProcessName|endswith: \format.com - filter: + filter_main_known_fs: CommandLine|contains: - - /fs:FAT - /fs:exFAT + - /fs:FAT - /fs:NTFS - - /fs:UDF - /fs:ReFS - condition: process_creation and (selection and not 1 of filter*) + - /fs:UDF + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml index 34429e5b2..5fe1f472c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml @@ -22,13 +22,13 @@ detection: process_creation: EventID: 4688 Channel: Security - selection_mstsc: + selection: CommandLine|contains|all: - '-i ' - '-u ' - '-p ' NewProcessName|endswith: \ruby.exe - condition: process_creation and (1 of selection_*) + condition: process_creation and selection falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml b/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml index 1bbff70ea..e5ea692ce 100644 --- a/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml +++ b/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml @@ -9,6 +9,7 @@ references: - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ author: frack113 date: 2022/07/18 +modified: 2024/04/29 tags: - attack.defense_evasion - attack.t1564.001 @@ -25,11 +26,10 @@ detection: - NewProcessName|endswith: \icacls.exe selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC) CommandLine|contains|all: - - C:\Users\ - /deny - '*S-1-1-0:' - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use + - Unknown level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml new file mode 100644 index 000000000..3c4bfc48a --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -0,0 +1,49 @@ +title: Potentially Suspicious Child Process of KeyScrambler.exe +id: b2e90afd-fc69-1c5c-0457-d908fe3c4335 +status: experimental +description: Detects potentially suspicious child processes of KeyScrambler.exe +references: + - https://twitter.com/DTCERT/status/1712785421845790799 +author: Swachchhanda Shrawan Poudel +date: 2024/05/13 +tags: + - attack.execution + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1203 + - attack.t1574.002 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|endswith: \KeyScrambler.exe + selection_binaries: + # Note: add additional binaries that the attacker might use + - NewProcessName|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - mshta.exe + - PowerShell.EXE + - pwsh.dll + - regsvr32.exe + - RUNDLL32.EXE + - wscript.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index fc822bfb4..dbd885315 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution Of PDQDeployRunner +title: Potentially Suspicious Execution Of PDQDeployRunner id: 26de0206-5a40-c902-6fcf-8ab280a45735 status: test description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines @@ -6,6 +6,7 @@ references: - https://twitter.com/malmoeb/status/1550483085472432128 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/22 +modified: 2024/05/02 tags: - attack.execution - sysmon @@ -17,39 +18,40 @@ detection: EventID: 4688 Channel: Security selection_parent: - ParentProcessName|contains: PDQDeployRunner- - selection_susp: + ParentProcessName|contains: \PDQDeployRunner- + selection_child: # Improve this section by adding other suspicious processes, commandlines or paths - NewProcessName|endswith: # If you use any of the following processes legitimately comment them out - - \wscript.exe - - \cscript.exe - - \rundll32.exe - - \regsvr32.exe - - \wmic.exe - - \msiexec.exe - - \mshta.exe + - \bash.exe + - \certutil.exe + - \cmd.exe - \csc.exe + - \cscript.exe - \dllhost.exe - - \certutil.exe + - \mshta.exe + - \msiexec.exe + - \regsvr32.exe + - \rundll32.exe - \scriptrunner.exe - - \bash.exe + - \wmic.exe + - \wscript.exe - \wsl.exe - NewProcessName|contains: - - C:\Users\Public\ - - C:\ProgramData\ - - C:\Windows\TEMP\ + - :\ProgramData\ + - :\Users\Public\ + - :\Windows\TEMP\ - \AppData\Local\Temp - CommandLine|contains: - - 'iex ' - - Invoke- - - DownloadString - - http + - ' -decode ' - ' -enc ' - ' -encodedcommand ' - - FromBase64String - - ' -decode ' - ' -w hidden' + - DownloadString + - FromBase64String + - http + - 'iex ' + - Invoke- condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the PDQDeploy tool to execute these commands diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml b/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml index 3ca6301a3..3f85d5fe5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -46,7 +46,7 @@ detection: - \WinDefend - \wscsvc - \wuauserv - condition: process_creation and (selection_reg_add and 1 of selection_cli_*) + condition: process_creation and (all of selection_*) falsepositives: - Unlikely level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index 7218134ce..e08162c83 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -29,9 +29,6 @@ detection: - \Temp\ NewProcessName|endswith: \schtasks.exe condition: process_creation and selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Administrative activity - Software installation diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml index 5ca5f60b2..422237907 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml @@ -17,21 +17,21 @@ detection: process_creation: EventID: 4688 Channel: Security - schtasks_exe: + selection: CommandLine|contains|all: - /delete - /tn CommandLine|contains: # Add more important tasks + - \Windows\BitLocker + - \Windows\ExploitGuard - \Windows\SystemRestore\SR + - \Windows\UpdateOrchestrator\ - \Windows\Windows Defender\ - - \Windows\BitLocker - \Windows\WindowsBackup\ - \Windows\WindowsUpdate\ - - \Windows\UpdateOrchestrator\ - - \Windows\ExploitGuard NewProcessName|endswith: \schtasks.exe - condition: process_creation and (all of schtasks_*) + condition: process_creation and selection falsepositives: - Unlikely level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml index 63641e5d0..aff8798db 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml @@ -20,22 +20,22 @@ detection: process_creation: EventID: 4688 Channel: Security - schtasks_exe: + selection: CommandLine|contains|all: - /Change - /TN - /disable CommandLine|contains: # Add more important tasks + - \Windows\BitLocker + - \Windows\ExploitGuard - \Windows\SystemRestore\SR + - \Windows\UpdateOrchestrator\ - \Windows\Windows Defender\ - - \Windows\BitLocker - \Windows\WindowsBackup\ - \Windows\WindowsUpdate\ - - \Windows\UpdateOrchestrator\ - - \Windows\ExploitGuard NewProcessName|endswith: \schtasks.exe - condition: process_creation and (all of schtasks_*) + condition: process_creation and selection falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index ab15b32f3..a0446ce0d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -51,7 +51,7 @@ detection: NewProcessName|endswith: - \code-tunnel.exe - \code.exe - condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)) + condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml new file mode 100644 index 000000000..6a891deaa --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml @@ -0,0 +1,41 @@ +title: All Backups Deleted Via Wbadmin.EXE +id: ba8fde0b-93d2-2680-ea4d-b260729bf75e +status: test +description: | + Detects the deletion of all backups or system state backups via "wbadmin.exe". + This technique is used by numerous ransomware families and actors. + This may only be successful on server platforms that have Windows Backup enabled. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell + - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md + - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ + - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted + - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/12/13 +modified: 2024/05/10 +tags: + - attack.impact + - attack.t1490 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_cli: + CommandLine|contains|all: + - delete + - backup # Also covers "SYSTEMSTATEBACKUP" + CommandLine|contains: keepVersions:0 + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_backups.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_backups.yml new file mode 100644 index 000000000..c3958e14b --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_backups.yml @@ -0,0 +1,43 @@ +title: Windows Backup Deleted Via Wbadmin.EXE +id: 133b31a6-d87d-34ee-0699-ac8c9dce764b +status: test +description: | + Detects the deletion of backups or system state backups via "wbadmin.exe". + This technique is used by numerous ransomware families and actors. + This may only be successful on server platforms that have Windows Backup enabled. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell + - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md + - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ + - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted + - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/12/13 +modified: 2024/05/10 +tags: + - attack.impact + - attack.t1490 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_cli: + CommandLine|contains|all: + - 'delete ' + - backup # Also covers "SYSTEMSTATEBACKUP" + filter_main_keep_versions: + # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76 + CommandLine|contains: keepVersions:0 + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Legitimate backup activity from administration scripts and software. +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml deleted file mode 100644 index 9cb897f72..000000000 --- a/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: SystemStateBackup Deleted Using Wbadmin.EXE -id: 133b31a6-d87d-34ee-0699-ac8c9dce764b -related: - - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 - type: derived -status: test -description: | - Deletes the Windows systemstatebackup using wbadmin.exe. - This technique is used by numerous ransomware families. - This may only be successful on server platforms that have Windows Backup enabled. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell -author: frack113 -date: 2021/12/13 -modified: 2023/02/04 -tags: - - attack.impact - - attack.t1490 - - sysmon -logsource: - category: process_creation - product: windows -detection: - process_creation: - EventID: 4688 - Channel: Security - selection_img: - - NewProcessName|endswith: \wbadmin.exe - - OriginalFileName: WBADMIN.EXE - selection_cli: - CommandLine|contains|all: - - 'delete ' - - 'systemstatebackup ' - - -keepVersions:0 - condition: process_creation and (all of selection_*) -falsepositives: - - Unknown -level: high -ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml new file mode 100644 index 000000000..e7510f9a3 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml @@ -0,0 +1,45 @@ +title: Sensitive File Dump Via Wbadmin.EXE +id: f3baa8fc-8db9-1300-7b37-53785ce88ee9 +related: + - id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15 + type: derived +status: experimental +description: | + Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. + Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml + - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/05/10 +tags: + - attack.credential_access + - attack.t1003.003 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_backup: + CommandLine|contains: + - start + - backup + selection_path: + CommandLine|contains: + - \config\SAM + - \config\SECURITY + - \config\SYSTEM + - \Windows\NTDS\NTDS.dit + condition: process_creation and (all of selection_*) +falsepositives: + - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis. +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_file.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_file.yml new file mode 100644 index 000000000..ad432e080 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_file.yml @@ -0,0 +1,35 @@ +title: File Recovery From Backup Via Wbadmin.EXE +id: 5202675a-41e6-e644-d9e9-47e5f945d40a +status: experimental +description: | + Detects the recovery of files from backups via "wbadmin.exe". + Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. +references: + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery + - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/05/10 +tags: + - attack.impact + - attack.t1490 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_cli: + CommandLine|contains|all: + - ' recovery' + - recoveryTarget + - itemtype:File + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml new file mode 100644 index 000000000..3ee61e2e7 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml @@ -0,0 +1,42 @@ +title: Sensitive File Recovery From Backup Via Wbadmin.EXE +id: 0bcdf0e5-9683-7f59-4ca8-8903a6ca8c0d +status: experimental +description: | + Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. + Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml + - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/05/10 +tags: + - attack.credential_access + - attack.t1003.003 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_backup: + CommandLine|contains|all: + - ' recovery' + - recoveryTarget + - itemtype:File + CommandLine|contains: + - \config\SAM + - \config\SECURITY + - \config\SYSTEM + - \Windows\NTDS\NTDS.dit + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_attrib_system.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_attrib_system.yml similarity index 97% rename from sigma/builtin/process_creation/proc_creation_win_attrib_system.yml rename to sigma/builtin/threat-hunting/process_creation/proc_creation_win_attrib_system.yml index 174e1e52c..c20fddfc4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_attrib_system.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_attrib_system.yml @@ -12,6 +12,7 @@ modified: 2023/03/14 tags: - attack.defense_evasion - attack.t1564.001 + - detection.threat_hunting - sysmon logsource: category: process_creation diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml similarity index 69% rename from sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml rename to sigma/builtin/threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml index 7b323153b..efd6a4837 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml @@ -1,18 +1,21 @@ -title: Suspicious Add Scheduled Task Parent +title: Scheduled Task Creation From Potential Suspicious Parent Location id: f0e5d329-4070-a553-6ff1-1842415b9bc8 related: - id: 9494479d-d994-40bf-a8b1-eea890237021 type: derived status: test -description: Detects suspicious scheduled task creations from a parent stored in a temporary folder +description: | + Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. + Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ author: Florian Roth (Nextron Systems) date: 2022/02/23 -modified: 2022/06/02 +modified: 2024/05/13 tags: - attack.execution - attack.t1053.005 + - detection.threat_hunting - sysmon logsource: product: windows @@ -23,17 +26,19 @@ detection: Channel: Security selection: CommandLine|contains: '/Create ' - NewProcessName|endswith: \schtasks.exe ParentProcessName|contains: + - :\Temp\ - \AppData\Local\ - \AppData\Roaming\ - \Temporary Internet - \Users\Public\ - filter: + - \Windows\Temp\ + NewProcessName|endswith: \schtasks.exe + filter_optional_common: CommandLine|contains: - update_task.xml - unattended.ini - condition: process_creation and (selection and not 1 of filter*) + condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - Software installers that run from temporary folders and also install scheduled tasks level: medium diff --git a/sigma/sysmon/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/sigma/sysmon/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index dc8838ec9..d315a8228 100644 --- a/sigma/sysmon/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/sigma/sysmon/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -11,6 +11,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024/04/23 +modified: 2024/05/11 tags: - attack.defense_evasion - attack.execution @@ -44,7 +45,7 @@ detection: - '/F ' - \Microsoft\Windows\WinSrv selection_powershell: - CommandLine|contains: + CommandLine|contains|all: - Get-ChildItem - .save - Compress-Archive -DestinationPath C:\ProgramData\ diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml b/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml index c49bee67e..dcb88a170 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml @@ -4,7 +4,9 @@ related: - id: 74babdd6-a758-4549-9632-26535279e654 type: derived status: test -description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. +description: | + Detect creation of suspicious executable file names. + Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ @@ -22,7 +24,7 @@ detection: file_event: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational - selection_double: + selection: TargetFilename|endswith: - :\$Recycle.Bin.exe - :\Documents and Settings.exe @@ -31,7 +33,7 @@ detection: - :\Recovery.exe - .bat.exe - .sys.exe - condition: file_event and (1 of selection_*) + condition: file_event and selection falsepositives: - Unknown level: high diff --git a/sigma/sysmon/image_load/image_load_side_load_keyscrambler.yml b/sigma/sysmon/image_load/image_load_side_load_keyscrambler.yml index 5dfa611b6..f95d49a92 100644 --- a/sigma/sysmon/image_load/image_load_side_load_keyscrambler.yml +++ b/sigma/sysmon/image_load/image_load_side_load_keyscrambler.yml @@ -1,6 +1,8 @@ title: Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE id: 2723cb06-e465-59c3-bacc-6c9a31afa59d related: + - id: ca5583e9-8f80-46ac-ab91-7f314d13b984 + type: similar - id: d2451be2-b582-4e15-8701-4196ac180260 type: derived status: experimental diff --git a/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml b/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml index 46463388d..5617bb61c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -27,13 +27,13 @@ detection: - OriginalFileName: ATTRIB.EXE selection_cli: CommandLine|contains: ' +h ' - filter_msiexec: + filter_main_msiexec: CommandLine|contains: '\desktop.ini ' - filter_intel: + filter_optional_intel: ParentImage|endswith: \cmd.exe CommandLine: +R +H +S +A \\\*.cui ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat - condition: process_creation and (all of selection_* and not 1 of filter_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - Msiexec.exe hiding desktop.ini diff --git a/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 7b0ac5bf7..66992baab 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -48,11 +48,11 @@ detection: - .ps1 - .vbe - .vbs - filter: + filter_optional_installer: CommandLine|contains|all: - \Windows\TEMP\ - .exe - condition: process_creation and (all of selection* and not filter) + condition: process_creation and (all of selection* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index 3e231d47a..8c4d5e441 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -9,6 +9,7 @@ references: - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ + - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2019/10/22 modified: 2022/11/11 diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml b/sigma/sysmon/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml similarity index 73% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml rename to sigma/sysmon/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml index d0df21819..117329ab4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml @@ -1,15 +1,17 @@ -title: Format.com FileSystem LOLBIN +title: Uncommon FileSystem Load Attempt By Format.com id: ae5f9d94-13d0-8f94-fb08-1d06e23ea7fa related: - id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 type: derived status: test -description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs +description: | + Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 author: Florian Roth (Nextron Systems) date: 2022/01/04 +modified: 2024/05/13 tags: - attack.defense_evasion - sysmon @@ -23,14 +25,14 @@ detection: selection: Image|endswith: \format.com CommandLine|contains: '/fs:' - filter: + filter_main_known_fs: CommandLine|contains: - - /fs:FAT - /fs:exFAT + - /fs:FAT - /fs:NTFS - - /fs:UDF - /fs:ReFS - condition: process_creation and (selection and not 1 of filter*) + - /fs:UDF + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml index 006461d8a..3f0693c0a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml @@ -22,13 +22,13 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection_mstsc: + selection: Image|endswith: \ruby.exe CommandLine|contains|all: - '-i ' - '-u ' - '-p ' - condition: process_creation and (1 of selection_*) + condition: process_creation and selection falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml b/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml index ae3ecae88..39926d3cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml @@ -9,6 +9,7 @@ references: - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ author: frack113 date: 2022/07/18 +modified: 2024/04/29 tags: - attack.defense_evasion - attack.t1564.001 @@ -25,11 +26,10 @@ detection: - Image|endswith: \icacls.exe selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC) CommandLine|contains|all: - - C:\Users\ - /deny - '*S-1-1-0:' - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use + - Unknown level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml new file mode 100644 index 000000000..fe7ef029b --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -0,0 +1,54 @@ +title: Potentially Suspicious Child Process of KeyScrambler.exe +id: 1c1a3627-1cce-ccc4-df5f-84a1148fdd02 +related: + - id: d2451be2-b582-4e15-8701-4196ac180260 + type: similar + - id: ca5583e9-8f80-46ac-ab91-7f314d13b984 + type: derived +status: experimental +description: Detects potentially suspicious child processes of KeyScrambler.exe +references: + - https://twitter.com/DTCERT/status/1712785421845790799 +author: Swachchhanda Shrawan Poudel +date: 2024/05/13 +tags: + - attack.execution + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1203 + - attack.t1574.002 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_parent: + ParentImage|endswith: \KeyScrambler.exe + selection_binaries: + # Note: add additional binaries that the attacker might use + - Image|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - mshta.exe + - PowerShell.EXE + - pwsh.dll + - regsvr32.exe + - RUNDLL32.EXE + - wscript.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index 583243903..d80d91ff8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution Of PDQDeployRunner +title: Potentially Suspicious Execution Of PDQDeployRunner id: cdb409df-98b8-cff6-7d02-1a28a37936ec related: - id: d679950c-abb7-43a6-80fb-2a480c4fc450 @@ -11,6 +11,7 @@ references: - https://twitter.com/malmoeb/status/1550483085472432128 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/22 +modified: 2024/05/02 tags: - attack.execution - sysmon @@ -22,39 +23,40 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_parent: - ParentImage|contains: PDQDeployRunner- - selection_susp: + ParentImage|contains: \PDQDeployRunner- + selection_child: # Improve this section by adding other suspicious processes, commandlines or paths - Image|endswith: # If you use any of the following processes legitimately comment them out - - \wscript.exe - - \cscript.exe - - \rundll32.exe - - \regsvr32.exe - - \wmic.exe - - \msiexec.exe - - \mshta.exe + - \bash.exe + - \certutil.exe + - \cmd.exe - \csc.exe + - \cscript.exe - \dllhost.exe - - \certutil.exe + - \mshta.exe + - \msiexec.exe + - \regsvr32.exe + - \rundll32.exe - \scriptrunner.exe - - \bash.exe + - \wmic.exe + - \wscript.exe - \wsl.exe - Image|contains: - - C:\Users\Public\ - - C:\ProgramData\ - - C:\Windows\TEMP\ + - :\ProgramData\ + - :\Users\Public\ + - :\Windows\TEMP\ - \AppData\Local\Temp - CommandLine|contains: - - 'iex ' - - Invoke- - - DownloadString - - http + - ' -decode ' - ' -enc ' - ' -encodedcommand ' - - FromBase64String - - ' -decode ' - ' -w hidden' + - DownloadString + - FromBase64String + - http + - 'iex ' + - Invoke- condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the PDQDeploy tool to execute these commands diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml index 3db6ee4b1..a5f4c3807 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -46,7 +46,7 @@ detection: - \WinDefend - \wscsvc - \wuauserv - condition: process_creation and (selection_reg_add and 1 of selection_cli_*) + condition: process_creation and (all of selection_*) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index 7d1b645c7..f99436da9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -29,9 +29,6 @@ detection: - ' /sc once ' - \Temp\ condition: process_creation and selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Administrative activity - Software installation diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml index 8b11febb2..6fdde16cb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml @@ -24,21 +24,21 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - schtasks_exe: + selection: Image|endswith: \schtasks.exe CommandLine|contains|all: - /delete - /tn CommandLine|contains: # Add more important tasks + - \Windows\BitLocker + - \Windows\ExploitGuard - \Windows\SystemRestore\SR + - \Windows\UpdateOrchestrator\ - \Windows\Windows Defender\ - - \Windows\BitLocker - \Windows\WindowsBackup\ - \Windows\WindowsUpdate\ - - \Windows\UpdateOrchestrator\ - - \Windows\ExploitGuard - condition: process_creation and (all of schtasks_*) + condition: process_creation and selection falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml index d2b7d617c..90b657609 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml @@ -25,7 +25,7 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - schtasks_exe: + selection: Image|endswith: \schtasks.exe CommandLine|contains|all: - /Change @@ -33,14 +33,14 @@ detection: - /disable CommandLine|contains: # Add more important tasks + - \Windows\BitLocker + - \Windows\ExploitGuard - \Windows\SystemRestore\SR + - \Windows\UpdateOrchestrator\ - \Windows\Windows Defender\ - - \Windows\BitLocker - \Windows\WindowsBackup\ - \Windows\WindowsUpdate\ - - \Windows\UpdateOrchestrator\ - - \Windows\ExploitGuard - condition: process_creation and (all of schtasks_*) + condition: process_creation and selection falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index 0fe26b2ee..964d61182 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -51,7 +51,7 @@ detection: Image|endswith: - \code-tunnel.exe - \code.exe - condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)) + condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml new file mode 100644 index 000000000..5eef2c7e0 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml @@ -0,0 +1,46 @@ +title: All Backups Deleted Via Wbadmin.EXE +id: c65ad0f0-4bad-d1a1-b7a3-877b8d313e1f +related: + - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 + type: derived + - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76 + type: derived +status: test +description: | + Detects the deletion of all backups or system state backups via "wbadmin.exe". + This technique is used by numerous ransomware families and actors. + This may only be successful on server platforms that have Windows Backup enabled. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell + - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md + - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ + - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted + - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/12/13 +modified: 2024/05/10 +tags: + - attack.impact + - attack.t1490 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_cli: + CommandLine|contains|all: + - delete + - backup # Also covers "SYSTEMSTATEBACKUP" + CommandLine|contains: keepVersions:0 + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_backups.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_backups.yml new file mode 100644 index 000000000..572c97662 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_backups.yml @@ -0,0 +1,48 @@ +title: Windows Backup Deleted Via Wbadmin.EXE +id: c63f8d34-3e4b-f275-8034-8fb8c4e0749d +related: + - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76 + type: derived + - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 + type: derived +status: test +description: | + Detects the deletion of backups or system state backups via "wbadmin.exe". + This technique is used by numerous ransomware families and actors. + This may only be successful on server platforms that have Windows Backup enabled. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell + - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md + - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ + - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted + - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/12/13 +modified: 2024/05/10 +tags: + - attack.impact + - attack.t1490 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_cli: + CommandLine|contains|all: + - 'delete ' + - backup # Also covers "SYSTEMSTATEBACKUP" + filter_main_keep_versions: + # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76 + CommandLine|contains: keepVersions:0 + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Legitimate backup activity from administration scripts and software. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml deleted file mode 100644 index d3e5e024d..000000000 --- a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: SystemStateBackup Deleted Using Wbadmin.EXE -id: c63f8d34-3e4b-f275-8034-8fb8c4e0749d -related: - - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 - type: derived -status: test -description: | - Deletes the Windows systemstatebackup using wbadmin.exe. - This technique is used by numerous ransomware families. - This may only be successful on server platforms that have Windows Backup enabled. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell -author: frack113 -date: 2021/12/13 -modified: 2023/02/04 -tags: - - attack.impact - - attack.t1490 - - sysmon -logsource: - category: process_creation - product: windows -detection: - process_creation: - EventID: 1 - Channel: Microsoft-Windows-Sysmon/Operational - selection_img: - - Image|endswith: \wbadmin.exe - - OriginalFileName: WBADMIN.EXE - selection_cli: - CommandLine|contains|all: - - 'delete ' - - 'systemstatebackup ' - - -keepVersions:0 - condition: process_creation and (all of selection_*) -falsepositives: - - Unknown -level: high -ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml new file mode 100644 index 000000000..403ad32df --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml @@ -0,0 +1,45 @@ +title: Sensitive File Dump Via Wbadmin.EXE +id: 86e742d0-bfaf-0a3b-e522-068d75234910 +related: + - id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15 + type: derived +status: experimental +description: | + Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. + Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml + - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/05/10 +tags: + - attack.credential_access + - attack.t1003.003 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_backup: + CommandLine|contains: + - start + - backup + selection_path: + CommandLine|contains: + - \config\SAM + - \config\SECURITY + - \config\SYSTEM + - \Windows\NTDS\NTDS.dit + condition: process_creation and (all of selection_*) +falsepositives: + - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis. +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_file.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_file.yml new file mode 100644 index 000000000..b4e09104d --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_file.yml @@ -0,0 +1,40 @@ +title: File Recovery From Backup Via Wbadmin.EXE +id: acec5539-33d4-1634-fa97-fe195245b647 +related: + - id: 84972c80-251c-4c3a-9079-4f00aad93938 + type: derived + - id: 6fe4aa1e-0531-4510-8be2-782154b73b48 + type: derived +status: experimental +description: | + Detects the recovery of files from backups via "wbadmin.exe". + Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. +references: + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery + - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/05/10 +tags: + - attack.impact + - attack.t1490 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_cli: + CommandLine|contains|all: + - ' recovery' + - recoveryTarget + - itemtype:File + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml new file mode 100644 index 000000000..7f3f62074 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml @@ -0,0 +1,47 @@ +title: Sensitive File Recovery From Backup Via Wbadmin.EXE +id: 31c981af-f890-83bc-fd4b-99a95353ee2f +related: + - id: 6fe4aa1e-0531-4510-8be2-782154b73b48 + type: derived + - id: 84972c80-251c-4c3a-9079-4f00aad93938 + type: derived +status: experimental +description: | + Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. + Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml + - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/05/10 +tags: + - attack.credential_access + - attack.t1003.003 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE + selection_backup: + CommandLine|contains|all: + - ' recovery' + - recoveryTarget + - itemtype:File + CommandLine|contains: + - \config\SAM + - \config\SECURITY + - \config\SYSTEM + - \Windows\NTDS\NTDS.dit + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_attrib_system.yml similarity index 97% rename from sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml rename to sigma/sysmon/threat-hunting/process_creation/proc_creation_win_attrib_system.yml index 5c8f3968e..e34ba44d5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_attrib_system.yml @@ -17,6 +17,7 @@ modified: 2023/03/14 tags: - attack.defense_evasion - attack.t1564.001 + - detection.threat_hunting - sysmon logsource: category: process_creation diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml similarity index 69% rename from sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml rename to sigma/sysmon/threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml index 777e3ce3e..eebdb9636 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml @@ -1,18 +1,21 @@ -title: Suspicious Add Scheduled Task Parent +title: Scheduled Task Creation From Potential Suspicious Parent Location id: 841690fc-9a69-64c8-36ba-1a4a37f0880f related: - id: 9494479d-d994-40bf-a8b1-eea890237021 type: derived status: test -description: Detects suspicious scheduled task creations from a parent stored in a temporary folder +description: | + Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. + Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ author: Florian Roth (Nextron Systems) date: 2022/02/23 -modified: 2022/06/02 +modified: 2024/05/13 tags: - attack.execution - attack.t1053.005 + - detection.threat_hunting - sysmon logsource: product: windows @@ -22,18 +25,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - Image|endswith: \schtasks.exe - CommandLine|contains: '/Create ' ParentImage|contains: + - :\Temp\ - \AppData\Local\ - \AppData\Roaming\ - \Temporary Internet - \Users\Public\ - filter: + - \Windows\Temp\ + Image|endswith: \schtasks.exe + CommandLine|contains: '/Create ' + filter_optional_common: CommandLine|contains: - update_task.xml - unattended.ini - condition: process_creation and (selection and not 1 of filter*) + condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - Software installers that run from temporary folders and also install scheduled tasks level: medium