diff --git a/README.md b/README.md index 8951e82..1fb50d5 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ Help is available with `zircolite.py -h`. If your EVTX files have the extension ```shell # python3 zircolite.py --evtx --ruleset [--ruleset ] -python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.json +python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon_pysigma.json ``` The SYSMON ruleset employed is a default one, intended for analyzing logs from endpoints with SYSMON installed. @@ -42,7 +42,7 @@ The SYSMON ruleset employed is a default one, intended for analyzing logs from e ```shell python3 zircolite.py --events auditd.log --ruleset rules/rules_linux.json --auditd python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysmon4linux -python3 zircolite.py --events --ruleset rules/rules_windows_sysmon.json --jsononly +python3 zircolite.py --events --ruleset rules/rules_windows_sysmon_pysigma.json --jsononly ``` :information_source: If you want to try the tool you can test with [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) (EVTX Files). diff --git a/docs/Advanced.md b/docs/Advanced.md index eddfd04..c2ea250 100755 --- a/docs/Advanced.md +++ b/docs/Advanced.md @@ -27,7 +27,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l ```shell find -maxdepth 1 -mindepth 1 -type d | \ parallel --bar python3 zircolite.py --evtx {} \ - --ruleset rules/rules_windows_sysmon.json --outfile {/.}.json + --ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json ``` One downside of this mode is that if you have less computer evidences than CPU Cores, they all will not be used. @@ -39,7 +39,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l ```shell find -type f -name "*.| \ parallel -j -1 --progress python3 zircolite.py --evtx {} \ - --ruleset rules/rules_windows_sysmon.json --outfile {/.}.json + --ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json ``` In this example the `-j -1` is for using all cores but one. You can adjust the number of used cores with this arguments. @@ -70,20 +70,20 @@ To speed up the detection process, you may want to use Zircolite on files matchi - Only use EVTX files that contains "sysmon" in their names ```shell - python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ + python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \ --select sysmon ``` - Exclude "Microsoft-Windows-SystemDataArchiver%4Diagnostic.evtx" ```shell - python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ + python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \ --avoid systemdataarchiver ``` - Only use EVTX files with "operational" in their names but exclude "defender" related logs ```shell - python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ + python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \ --select operational --avoid defender ``` @@ -92,7 +92,7 @@ For example, the **Sysmon** ruleset available in the `rules` directory only use So if you use the sysmon ruleset with the following rules, it should speed up `Zircolite`execution : ```shell -python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \ --select sysmon --select security.evtx --select system.evtx \ --select application.evtx --select Windows-NTLM --select DNS \ --select powershell --select defender --select applocker \ @@ -113,14 +113,14 @@ Examples : - Select all events between the 2021-06-02 22:40:00 and 2021-06-02 23:00:00 : ```shell - python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ + python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \ -A 2021-06-02T22:40:00 -B 2021-06-02T23:00:00 ``` - Select all events after the 2021-06-01 12:00:00 : ```shell - python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ + python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \ -A 2021-06-01T12:00:00 ``` @@ -132,7 +132,7 @@ The filter will apply on the rule title. To avoid unexpected side-effect **compa ```shell python3 zircolite.py --evtx logs/ \ - --ruleset rules/rules_windows_sysmon.json \ + --ruleset rules/rules_windows_sysmon_pysigma.json \ -R MSHTA ``` @@ -160,7 +160,7 @@ If you forward your events to a central collector you can disable local logging If you have multiple endpoints to scan, it is useful to send the detected events to a central collector. As of v1.2, Zircolite can forward detected events to an HTTP server : ```shell -python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \ --remote "http://address:port/uri" ``` An **example** server called is available in the [tools](https://github.com/wagga40/Zircolite/tree/master/tools/zircolite_server/) directory. @@ -173,7 +173,7 @@ As of v1.3.5, Zircolite can forward detections to a Splunk instance with Splunk 2. Get your token and you are ready to go : ```shell -python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \ --remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \ [--index myindex] ``` @@ -187,7 +187,7 @@ Since Splunk HEC default to the first associated index, `--index` is optional bu As of version 2.8.0, Zircolite can forward events to an ELK stack using the ES client. ```shell -python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --evtx /sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \ --remote "https://x.x.x.x:8088" --index "zircolite-whatever" \ --eslogin "yourlogin" --espass "yourpass" ``` @@ -214,7 +214,7 @@ Zircolite provides a templating system based on Jinja 2. It allows you to change - `--templateOutput ` ```shell -python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \ --template templates/exportForSplunk.tmpl --templateOutput exportForSplunk.json ``` @@ -237,7 +237,7 @@ You need to generate a `data.js` file with the `exportForZircoGui.tmpl` template ```shell python3 zircolite.py --evtx sample.evtx - --ruleset rules/rules_windows_sysmon.json \ + --ruleset rules/rules_windows_sysmon_pysigma.json \ --template templates/exportForZircoGui.tmpl --templateOutput data.js 7z x gui/zircogui.zip mv data.js zircogui/ diff --git a/docs/Usage.md b/docs/Usage.md index 5cf39f2..829fff2 100644 --- a/docs/Usage.md +++ b/docs/Usage.md @@ -86,10 +86,10 @@ Multiple rulesets can be specified, results can be per-ruleset or combined (with ```shell # Example with a Zircolite ruleset and a Sigma rule. Results will be displayed per-ruleset -python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \ --ruleset schtasks.yml # Example with a Zircolite ruleset and a Sigma rule. Results will be displayed combined -python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \ +python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \ --ruleset schtasks.yml --combine-rulesets ``` @@ -107,7 +107,7 @@ If your evtx files have the extension ".evtx" : ```shell python3 zircolite.py --evtx \ --ruleset -python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json +python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon_pysigma.json ``` ### XML logs @@ -140,7 +140,7 @@ And it produces something like this (1 event per line): ```shell python3 zircolite.py --events --ruleset --xml python3 zircolite.py --events Microsoft-Windows-SysmonOperational.xml \ - --ruleset rules/rules_windows_sysmon_full.json --xml + --ruleset rules/rules_windows_sysmon_pysigma.json --xml ``` ### EVTXtract logs @@ -552,7 +552,7 @@ docker build . -t docker container run --tty \ --volume :/case wagga40/zircolite:latest \ - --ruleset rules/rules_windows_sysmon.json \ + --ruleset rules/rules_windows_sysmon_pysigma.json \ --events /case \ --outfile /case/detected_events.json ``` @@ -575,7 +575,7 @@ docker run --rm --tty \ -v :/case/input:ro \ -v :/case/output \ wagga40/zircolite:latest \ - --ruleset rules/rules_windows_sysmon.json \ + --ruleset rules/rules_windows_sysmon_pysigma.json \ --events /case/input \ -o /case/output/detected_events.json ``` @@ -587,6 +587,6 @@ You can use the Docker image available on [Docker Hub](https://hub.docker.com/r/ ```shell docker container run --tty \ --volume :/case docker.io/wagga40/zircolite:lastest \ - --ruleset rules/rules_windows_sysmon.json \ + --ruleset rules/rules_windows_sysmon_pysigma.json \ --evtx /case --outfile /case/detected_events.json ``` diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf index b9abfb1..a8da7cc 100644 Binary files a/docs/Zircolite_manual.pdf and b/docs/Zircolite_manual.pdf differ diff --git a/gui/zircogui.zip b/gui/zircogui.zip index b90a92c..0f800a0 100644 Binary files a/gui/zircogui.zip and b/gui/zircogui.zip differ diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json index 2d7eba3..acd78d2 100644 --- a/rules/rules_windows_generic.json +++ b/rules/rules_windows_generic.json @@ -6764,7 +6764,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -9352,7 +9352,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -16798,27 +16798,6 @@ ], "filename": "registry_set_fax_dll_persistance.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", @@ -16876,10 +16855,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -16890,12 +16869,12 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -16933,10 +16912,10 @@ "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -16947,7 +16926,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -16989,23 +16968,6 @@ ], "filename": "registry_set_office_disable_protected_view_features.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", @@ -17544,7 +17506,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -17658,7 +17620,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -17720,7 +17682,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -17735,7 +17697,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -17852,10 +17814,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -17866,11 +17828,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -18044,7 +18006,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -18160,10 +18122,10 @@ "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -18174,7 +18136,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -18449,25 +18411,6 @@ ], "filename": "registry_set_uac_bypass_wmp.yml" }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, { "title": "Suspicious Shim Database Patching Activity", "id": "bf344fea-d947-4ef4-9192-34d008315d3a", @@ -18601,7 +18544,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -18615,7 +18558,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -18789,25 +18732,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -19190,18 +19114,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -19583,26 +19507,6 @@ ], "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, - { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" - ], - "filename": "file_event_win_creation_system_file.yml" - }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", @@ -19783,25 +19687,6 @@ ], "filename": "file_event_win_wmiexec_default_filename.yml" }, - { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", - "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Administrator or backup activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" - ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" - }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", @@ -26156,6 +26041,25 @@ ], "filename": "web_exploit_cve_2024_1709_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -26193,6 +26097,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -26602,6 +26526,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -27157,6 +27103,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", diff --git a/rules/rules_windows_generic_full.json b/rules/rules_windows_generic_full.json index b0da70e..64d706e 100644 --- a/rules/rules_windows_generic_full.json +++ b/rules/rules_windows_generic_full.json @@ -7257,6 +7257,24 @@ ], "filename": "proc_creation_win_findstr_lsass.yml" }, + { + "title": "Potentially Suspicious Electron Application CommandLine", + "id": "378a05d8-963c-46c9-bcce-13c7657eac99", + "status": "experimental", + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], + "falsepositives": [ + "Legitimate usage for debugging purposes" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_electron_execution_proxy.yml" + }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", @@ -8341,24 +8359,6 @@ ], "filename": "proc_creation_win_pua_rclone_execution.yml" }, - { - "title": "Potentially Suspicious Electron Application CommandLine", - "id": "378a05d8-963c-46c9-bcce-13c7657eac99", - "status": "experimental", - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage for debugging purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml" - }, { "title": "HackTool - Quarks PwDump Execution", "id": "0685b176-c816-4837-8e7b-1216f346636b", @@ -15277,7 +15277,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -19908,7 +19908,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -20299,25 +20299,6 @@ ], "filename": "proc_creation_win_cmdkey_recon.yml" }, - { - "title": "CMD Shell Output Redirect", - "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "status": "test", - "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", - "author": "frack113", - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "falsepositives": [ - "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_cmd_redirect.yml" - }, { "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", @@ -24415,10 +24396,10 @@ "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", + "title": "Potentially Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -24429,7 +24410,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, @@ -33796,27 +33777,6 @@ ], "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", @@ -33950,10 +33910,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -33964,7 +33924,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, @@ -33989,7 +33949,7 @@ "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -34030,7 +33990,7 @@ "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "author": "frack113", "tags": [ "attack.persistence", @@ -34043,7 +34003,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))" ], "filename": "registry_set_servicedll_hijack.yml" }, @@ -34087,10 +34047,10 @@ "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -34101,7 +34061,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -34220,23 +34180,6 @@ ], "filename": "registry_set_disable_function_user.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "DNS-over-HTTPS Enabled by Registry", "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", @@ -35030,7 +34973,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -35182,7 +35125,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -35339,7 +35282,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -35354,7 +35297,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -35412,7 +35355,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_administrative_share.yml" }, @@ -35435,6 +35378,25 @@ ], "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, + { + "title": "MaxMpxCt Registry Value Changed", + "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e", + "status": "experimental", + "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')" + ], + "filename": "registry_set_optimize_file_sharing_network.yml" + }, { "title": "Winlogon AllowMultipleTSSessions Enable", "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", @@ -35562,7 +35524,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_defender_firewall.yml" }, @@ -35677,10 +35639,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -35691,11 +35653,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -35761,7 +35723,7 @@ "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" @@ -35771,7 +35733,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_persistence_ifilter.yml" }, @@ -36021,7 +35983,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -36231,10 +36193,10 @@ "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -36245,7 +36207,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -36732,25 +36694,6 @@ ], "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, - { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" - ], - "filename": "registry_set_creation_service_uncommon_folder.yml" - }, { "title": "UAC Bypass Using Windows Media Player - Registry", "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", @@ -36823,9 +36766,9 @@ "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], "filename": "registry_set_add_port_monitor.yml" }, @@ -36943,10 +36886,10 @@ "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "Modification of Explorer Hidden Keys", + "title": "Displaying Hidden Files Feature Disabled", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -36957,7 +36900,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_hide_file.yml" }, @@ -36980,25 +36923,6 @@ ], "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, - { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" - }, { "title": "Tamper With Sophos AV Registry Keys", "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", @@ -37057,7 +36981,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -37071,7 +36995,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -37380,25 +37304,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -37541,10 +37446,10 @@ "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "PortProxy Registry Key", + "title": "New PortProxy Registry Entry Added", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", @@ -37558,7 +37463,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')" ], "filename": "registry_event_portproxy_registry_key.yml" }, @@ -37577,7 +37482,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], "filename": "registry_event_runonce_persistence.yml" }, @@ -37920,18 +37825,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -38840,7 +38745,7 @@ "title": "Files With System Process Name In Unsuspected Locations", "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -38850,9 +38755,9 @@ "System processes copied outside their default folders for testing purposes", "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], "filename": "file_event_win_creation_system_file.yml" }, @@ -39152,18 +39057,19 @@ "title": "EVTX Created In Uncommon Location", "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", "author": "D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ - "Administrator or backup activity" + "Administrator or backup activity", + "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))" ], "filename": "file_event_win_create_evtx_non_common_locations.yml" }, @@ -46678,6 +46584,25 @@ ], "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, + { + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml" + }, { "title": "Potential CVE-2022-26809 Exploitation Attempt", "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", @@ -47230,6 +47155,25 @@ ], "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -47267,6 +47211,65 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Lure Document Execution", + "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca", + "status": "experimental", + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')" + ], + "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation", + "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961", + "status": "experimental", + "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.persistence", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -47700,6 +47703,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -48255,6 +48280,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", @@ -48983,6 +49027,26 @@ ], "filename": "proc_creation_win_tasklist_basic_execution.yml" }, + { + "title": "CMD Shell Output Redirect", + "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "status": "test", + "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", + "author": "frack113", + "tags": [ + "attack.discovery", + "attack.t1082", + "detection.threat_hunting" + ], + "falsepositives": [ + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_cmd_redirect.yml" + }, { "title": "Curl.EXE Execution", "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", @@ -49331,6 +49395,26 @@ ], "filename": "registry_set_office_trusted_location.yml" }, + { + "title": "Service Binary in User Controlled Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "status": "experimental", + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "detection.threat_hunting" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND NewValue LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))" + ], + "filename": "registry_set_service_image_path_user_controlled_folder.yml" + }, { "title": "Shell Context Menu Command Tampering", "id": "868df2d1-0939-4562-83a7-27408c4a1ada", diff --git a/rules/rules_windows_generic_high.json b/rules/rules_windows_generic_high.json index 2d7eba3..acd78d2 100644 --- a/rules/rules_windows_generic_high.json +++ b/rules/rules_windows_generic_high.json @@ -6764,7 +6764,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -9352,7 +9352,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -16798,27 +16798,6 @@ ], "filename": "registry_set_fax_dll_persistance.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", @@ -16876,10 +16855,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -16890,12 +16869,12 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -16933,10 +16912,10 @@ "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -16947,7 +16926,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -16989,23 +16968,6 @@ ], "filename": "registry_set_office_disable_protected_view_features.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", @@ -17544,7 +17506,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -17658,7 +17620,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -17720,7 +17682,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -17735,7 +17697,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -17852,10 +17814,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -17866,11 +17828,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -18044,7 +18006,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -18160,10 +18122,10 @@ "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -18174,7 +18136,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -18449,25 +18411,6 @@ ], "filename": "registry_set_uac_bypass_wmp.yml" }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, { "title": "Suspicious Shim Database Patching Activity", "id": "bf344fea-d947-4ef4-9192-34d008315d3a", @@ -18601,7 +18544,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -18615,7 +18558,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -18789,25 +18732,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -19190,18 +19114,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -19583,26 +19507,6 @@ ], "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, - { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" - ], - "filename": "file_event_win_creation_system_file.yml" - }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", @@ -19783,25 +19687,6 @@ ], "filename": "file_event_win_wmiexec_default_filename.yml" }, - { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", - "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Administrator or backup activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" - ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" - }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", @@ -26156,6 +26041,25 @@ ], "filename": "web_exploit_cve_2024_1709_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -26193,6 +26097,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -26602,6 +26526,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -27157,6 +27103,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", diff --git a/rules/rules_windows_generic_medium.json b/rules/rules_windows_generic_medium.json index 943fab9..24756c7 100644 --- a/rules/rules_windows_generic_medium.json +++ b/rules/rules_windows_generic_medium.json @@ -6532,6 +6532,24 @@ ], "filename": "proc_creation_win_findstr_lsass.yml" }, + { + "title": "Potentially Suspicious Electron Application CommandLine", + "id": "378a05d8-963c-46c9-bcce-13c7657eac99", + "status": "experimental", + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], + "falsepositives": [ + "Legitimate usage for debugging purposes" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_electron_execution_proxy.yml" + }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", @@ -7595,24 +7613,6 @@ ], "filename": "proc_creation_win_pua_rclone_execution.yml" }, - { - "title": "Potentially Suspicious Electron Application CommandLine", - "id": "378a05d8-963c-46c9-bcce-13c7657eac99", - "status": "experimental", - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage for debugging purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml" - }, { "title": "HackTool - Quarks PwDump Execution", "id": "0685b176-c816-4837-8e7b-1216f346636b", @@ -14180,7 +14180,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -18479,7 +18479,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -22831,10 +22831,10 @@ "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", + "title": "Potentially Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -22845,7 +22845,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, @@ -31276,27 +31276,6 @@ ], "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", @@ -31430,10 +31409,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -31444,7 +31423,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, @@ -31469,7 +31448,7 @@ "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -31510,7 +31489,7 @@ "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "author": "frack113", "tags": [ "attack.persistence", @@ -31523,7 +31502,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))" ], "filename": "registry_set_servicedll_hijack.yml" }, @@ -31567,10 +31546,10 @@ "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -31581,7 +31560,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -31700,23 +31679,6 @@ ], "filename": "registry_set_disable_function_user.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "DNS-over-HTTPS Enabled by Registry", "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", @@ -32490,7 +32452,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -32642,7 +32604,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -32762,7 +32724,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -32777,7 +32739,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -32835,7 +32797,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_administrative_share.yml" }, @@ -32967,7 +32929,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_defender_firewall.yml" }, @@ -33082,10 +33044,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -33096,11 +33058,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -33166,7 +33128,7 @@ "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" @@ -33176,7 +33138,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_persistence_ifilter.yml" }, @@ -33426,7 +33388,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -33636,10 +33598,10 @@ "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -33650,7 +33612,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -34097,25 +34059,6 @@ ], "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, - { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" - ], - "filename": "registry_set_creation_service_uncommon_folder.yml" - }, { "title": "UAC Bypass Using Windows Media Player - Registry", "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", @@ -34168,9 +34111,9 @@ "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], "filename": "registry_set_add_port_monitor.yml" }, @@ -34288,10 +34231,10 @@ "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "Modification of Explorer Hidden Keys", + "title": "Displaying Hidden Files Feature Disabled", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -34302,7 +34245,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_hide_file.yml" }, @@ -34325,25 +34268,6 @@ ], "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, - { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" - }, { "title": "Tamper With Sophos AV Registry Keys", "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", @@ -34402,7 +34326,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -34416,7 +34340,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -34705,25 +34629,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -34866,10 +34771,10 @@ "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "PortProxy Registry Key", + "title": "New PortProxy Registry Entry Added", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", @@ -34883,7 +34788,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')" ], "filename": "registry_event_portproxy_registry_key.yml" }, @@ -34902,7 +34807,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], "filename": "registry_event_runonce_persistence.yml" }, @@ -35245,18 +35150,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -36108,7 +36013,7 @@ "title": "Files With System Process Name In Unsuspected Locations", "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -36118,9 +36023,9 @@ "System processes copied outside their default folders for testing purposes", "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], "filename": "file_event_win_creation_system_file.yml" }, @@ -36402,18 +36307,19 @@ "title": "EVTX Created In Uncommon Location", "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", "author": "D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ - "Administrator or backup activity" + "Administrator or backup activity", + "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))" ], "filename": "file_event_win_create_evtx_non_common_locations.yml" }, @@ -43754,6 +43660,25 @@ ], "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, + { + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml" + }, { "title": "Potential CVE-2022-26809 Exploitation Attempt", "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", @@ -44306,6 +44231,25 @@ ], "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -44343,6 +44287,65 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Lure Document Execution", + "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca", + "status": "experimental", + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')" + ], + "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation", + "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961", + "status": "experimental", + "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.persistence", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -44776,6 +44779,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -45331,6 +45356,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", @@ -46034,6 +46078,26 @@ ], "filename": "registry_set_office_trusted_location.yml" }, + { + "title": "Service Binary in User Controlled Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "status": "experimental", + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "detection.threat_hunting" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND NewValue LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))" + ], + "filename": "registry_set_service_image_path_user_controlled_folder.yml" + }, { "title": "Non-DLL Extension File Renamed With DLL Extension", "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", diff --git a/rules/rules_windows_generic_pysigma.json b/rules/rules_windows_generic_pysigma.json index bd2fa3b..b6582c5 100644 --- a/rules/rules_windows_generic_pysigma.json +++ b/rules/rules_windows_generic_pysigma.json @@ -800,29 +800,6 @@ ], "filename": "" }, - { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\'))))" - ], - "filename": "" - }, { "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", "id": "55e29995-75e7-451a-bef0-6225e2f13597", @@ -842,25 +819,6 @@ ], "filename": "" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "" - }, { "title": "OilRig APT Registry Persistence", "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", @@ -1005,25 +963,6 @@ ], "filename": "" }, - { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", - "tags": [ - "attack.persistence", - "attack.t1547.005" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" - ], - "filename": "" - }, { "title": "Pandemic Registry Key", "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", @@ -3183,6 +3122,25 @@ ], "filename": "" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "" + }, { "title": "Malicious Driver Load", "id": "05296024-fe8a-4baf-8f3d-9a5f5624ceb2", @@ -9614,7 +9572,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))" ], "filename": "" }, @@ -12164,7 +12122,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))" ], "filename": "" }, @@ -19275,27 +19233,6 @@ ], "filename": "" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\')))" - ], - "filename": "" - }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", @@ -19353,10 +19290,10 @@ "filename": "" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -19367,12 +19304,12 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))" ], "filename": "" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -19410,10 +19347,10 @@ "filename": "" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -19424,7 +19361,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT NewValue='DWORD (0x00000d3d)')))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT NewValue='DWORD (0x00000d3d)')))" ], "filename": "" }, @@ -19466,24 +19403,6 @@ ], "filename": "" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "falsepositives": [], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\'))" - ], - "filename": "" - }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", @@ -20022,7 +19941,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))))" ], "filename": "" }, @@ -20136,7 +20055,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue='DWORD (0x00000000)') AND (NOT (NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (NewProcessName='' OR NewProcessName IS NULL))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue='DWORD (0x00000000)') AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (NewProcessName='' OR NewProcessName IS NULL))))" ], "filename": "" }, @@ -20198,7 +20117,7 @@ "filename": "" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -20213,7 +20132,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND (NOT NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\')))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND (NOT (NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "" }, @@ -20329,6 +20248,29 @@ ], "filename": "" }, + { + "title": "Potential CobaltStrike Service Installations - Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", + "author": "Wojciech Lesicki", + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "RDP Sensitive Settings Changed", "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", @@ -20499,7 +20441,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue='Service') AND (NOT (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue='Service') AND (NOT (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))" ], "filename": "" }, @@ -20615,10 +20557,10 @@ "filename": "" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -20629,7 +20571,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))))" ], "filename": "" }, @@ -20904,25 +20846,6 @@ ], "filename": "" }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND (NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))" - ], - "filename": "" - }, { "title": "Suspicious Shim Database Patching Activity", "id": "bf344fea-d947-4ef4-9192-34d008315d3a", @@ -21056,7 +20979,7 @@ "filename": "" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -21070,7 +20993,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue='DWORD (0x00000004)'))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue='DWORD (0x00000004)'))" ], "filename": "" }, @@ -21460,6 +21383,25 @@ ], "filename": "" }, + { + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", + "author": "iwillkeepwatch", + "tags": [ + "attack.persistence", + "attack.t1547.005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "WINEKEY Registry Modification", "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", @@ -21698,26 +21640,6 @@ ], "filename": "" }, - { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" - ], - "filename": "" - }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", @@ -21879,25 +21801,6 @@ ], "filename": "" }, - { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", - "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Administrator or backup activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\')))" - ], - "filename": "" - }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", @@ -26586,6 +26489,26 @@ ], "filename": "" }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND (NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -26837,6 +26760,28 @@ ], "filename": "" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -29611,25 +29556,6 @@ ], "filename": "" }, - { - "title": "CMD Shell Output Redirect", - "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "status": "test", - "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", - "author": "frack113", - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "falsepositives": [ - "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" - ], - "filename": "" - }, { "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", "id": "bab049ca-7471-4828-9024-38279a4c04da", @@ -30630,6 +30556,25 @@ ], "filename": "" }, + { + "title": "MaxMpxCt Registry Value Changed", + "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e", + "status": "experimental", + "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')" + ], + "filename": "" + }, { "title": "New ODBC Driver Registered", "id": "3390fbef-c98d-4bdd-a863-d65ed7c610dd", @@ -31210,6 +31155,26 @@ ], "filename": "" }, + { + "title": "CMD Shell Output Redirect", + "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "status": "test", + "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", + "author": "frack113", + "tags": [ + "attack.discovery", + "attack.t1082", + "detection.threat_hunting" + ], + "falsepositives": [ + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "Curl.EXE Execution", "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", @@ -35088,6 +35053,24 @@ ], "filename": "" }, + { + "title": "Potentially Suspicious Electron Application CommandLine", + "id": "378a05d8-963c-46c9-bcce-13c7657eac99", + "status": "experimental", + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], + "falsepositives": [ + "Legitimate usage for debugging purposes" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", @@ -35612,24 +35595,6 @@ ], "filename": "" }, - { - "title": "Potentially Suspicious Electron Application CommandLine", - "id": "378a05d8-963c-46c9-bcce-13c7657eac99", - "status": "experimental", - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage for debugging purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))" - ], - "filename": "" - }, { "title": "Remote Access Tool - NetSupport Execution", "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", @@ -42695,10 +42660,10 @@ "filename": "" }, { - "title": "Suspicious CMD Shell Output Redirect", + "title": "Potentially Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -42709,7 +42674,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))" ], "filename": "" }, @@ -46211,7 +46176,7 @@ "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "author": "frack113", "tags": [ "attack.persistence", @@ -46224,7 +46189,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')) AND (NOT (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\'))))" ], "filename": "" }, @@ -46691,7 +46656,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))" ], "filename": "" }, @@ -46767,7 +46732,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue='DWORD (0x00000000)'))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue='DWORD (0x00000000)'))" ], "filename": "" }, @@ -46867,7 +46832,7 @@ "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" @@ -46877,7 +46842,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))" ], "filename": "" }, @@ -47284,40 +47249,40 @@ "filename": "" }, { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Exclusions Added - Registry", + "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "status": "test", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND (NewValue='DWORD (0x00000000)' OR NewValue='DWORD (0x00000001)' OR NewValue='DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND (NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], "filename": "" }, { - "title": "Windows Defender Exclusions Added - Registry", - "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "status": "test", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "status": "experimental", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND (NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))" ], "filename": "" }, @@ -47379,10 +47344,10 @@ "filename": "" }, { - "title": "Modification of Explorer Hidden Keys", + "title": "Displaying Hidden Files Feature Disabled", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -47393,26 +47358,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))" - ], - "filename": "" - }, - { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))" ], "filename": "" }, @@ -47570,10 +47516,10 @@ "filename": "" }, { - "title": "PortProxy Registry Key", + "title": "New PortProxy Registry Entry Added", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", @@ -47587,7 +47533,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')" ], "filename": "" }, @@ -47606,7 +47552,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((NewValue LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))" ], "filename": "" }, @@ -48136,6 +48082,26 @@ ], "filename": "" }, + { + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "status": "test", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "falsepositives": [ + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT ((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "TeamViewer Remote Session", "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", @@ -48230,6 +48196,26 @@ ], "filename": "" }, + { + "title": "EVTX Created In Uncommon Location", + "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "status": "experimental", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", + "author": "D3F7A5105", + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "falsepositives": [ + "Administrator or backup activity", + "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Potential Webshell Creation On Static Website", "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", @@ -49643,6 +49629,25 @@ ], "filename": "" }, + { + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "" + }, { "title": "Zimbra Collaboration Suite Email Server Unauthenticated RCE", "id": "dd218fb6-4d02-42dc-85f0-a0a376072efd", @@ -49743,6 +49748,45 @@ ], "filename": "" }, + { + "title": "Potential KamiKakaBot Activity - Lure Document Execution", + "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca", + "status": "experimental", + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\') AND CommandLine LIKE '%.doc' ESCAPE '\\'))" + ], + "filename": "" + }, + { + "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation", + "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961", + "status": "experimental", + "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.persistence", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\')) AND (NOT (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "Exploit for CVE-2017-0261", "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", @@ -50450,6 +50494,26 @@ ], "filename": "" }, + { + "title": "Service Binary in User Controlled Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "status": "experimental", + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "detection.threat_hunting" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND NewValue LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND (NewValue LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\'))))))" + ], + "filename": "" + }, { "title": "Non-DLL Extension File Renamed With DLL Extension", "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json index 322ddd6..fd8a09f 100644 --- a/rules/rules_windows_sysmon.json +++ b/rules/rules_windows_sysmon.json @@ -6764,7 +6764,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -9352,7 +9352,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -16798,27 +16798,6 @@ ], "filename": "registry_set_fax_dll_persistance.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", @@ -16876,10 +16855,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -16890,12 +16869,12 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -16933,10 +16912,10 @@ "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -16947,7 +16926,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -16989,23 +16968,6 @@ ], "filename": "registry_set_office_disable_protected_view_features.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", @@ -17544,7 +17506,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -17658,7 +17620,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -17720,7 +17682,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -17735,7 +17697,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -17852,10 +17814,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -17866,11 +17828,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -18044,7 +18006,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -18160,10 +18122,10 @@ "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -18174,7 +18136,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -18449,25 +18411,6 @@ ], "filename": "registry_set_uac_bypass_wmp.yml" }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, { "title": "Suspicious Shim Database Patching Activity", "id": "bf344fea-d947-4ef4-9192-34d008315d3a", @@ -18601,7 +18544,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -18615,7 +18558,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -18789,25 +18732,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -19190,18 +19114,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -19583,26 +19507,6 @@ ], "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, - { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" - ], - "filename": "file_event_win_creation_system_file.yml" - }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", @@ -19783,25 +19687,6 @@ ], "filename": "file_event_win_wmiexec_default_filename.yml" }, - { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", - "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Administrator or backup activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" - ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" - }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", @@ -26156,6 +26041,25 @@ ], "filename": "web_exploit_cve_2024_1709_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -26193,6 +26097,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -26602,6 +26526,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -27157,6 +27103,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", diff --git a/rules/rules_windows_sysmon_full.json b/rules/rules_windows_sysmon_full.json index b010f24..fae0a4d 100644 --- a/rules/rules_windows_sysmon_full.json +++ b/rules/rules_windows_sysmon_full.json @@ -7257,6 +7257,24 @@ ], "filename": "proc_creation_win_findstr_lsass.yml" }, + { + "title": "Potentially Suspicious Electron Application CommandLine", + "id": "378a05d8-963c-46c9-bcce-13c7657eac99", + "status": "experimental", + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], + "falsepositives": [ + "Legitimate usage for debugging purposes" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_electron_execution_proxy.yml" + }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", @@ -8341,24 +8359,6 @@ ], "filename": "proc_creation_win_pua_rclone_execution.yml" }, - { - "title": "Potentially Suspicious Electron Application CommandLine", - "id": "378a05d8-963c-46c9-bcce-13c7657eac99", - "status": "experimental", - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage for debugging purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml" - }, { "title": "HackTool - Quarks PwDump Execution", "id": "0685b176-c816-4837-8e7b-1216f346636b", @@ -15277,7 +15277,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -19908,7 +19908,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -20299,25 +20299,6 @@ ], "filename": "proc_creation_win_cmdkey_recon.yml" }, - { - "title": "CMD Shell Output Redirect", - "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "status": "test", - "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", - "author": "frack113", - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "falsepositives": [ - "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" - ], - "filename": "proc_creation_win_cmd_redirect.yml" - }, { "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", @@ -24415,10 +24396,10 @@ "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", + "title": "Potentially Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -24429,7 +24410,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, @@ -33796,27 +33777,6 @@ ], "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", @@ -33950,10 +33910,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -33964,7 +33924,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, @@ -33989,7 +33949,7 @@ "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -34030,7 +33990,7 @@ "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "author": "frack113", "tags": [ "attack.persistence", @@ -34043,7 +34003,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))" ], "filename": "registry_set_servicedll_hijack.yml" }, @@ -34087,10 +34047,10 @@ "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -34101,7 +34061,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -34220,23 +34180,6 @@ ], "filename": "registry_set_disable_function_user.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "DNS-over-HTTPS Enabled by Registry", "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", @@ -35030,7 +34973,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -35182,7 +35125,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -35339,7 +35282,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -35354,7 +35297,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -35412,7 +35355,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_administrative_share.yml" }, @@ -35435,6 +35378,25 @@ ], "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, + { + "title": "MaxMpxCt Registry Value Changed", + "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e", + "status": "experimental", + "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')" + ], + "filename": "registry_set_optimize_file_sharing_network.yml" + }, { "title": "Winlogon AllowMultipleTSSessions Enable", "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", @@ -35562,7 +35524,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_defender_firewall.yml" }, @@ -35677,10 +35639,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -35691,11 +35653,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -35761,7 +35723,7 @@ "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" @@ -35771,7 +35733,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_persistence_ifilter.yml" }, @@ -36021,7 +35983,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -36231,10 +36193,10 @@ "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -36245,7 +36207,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -36732,25 +36694,6 @@ ], "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, - { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" - ], - "filename": "registry_set_creation_service_uncommon_folder.yml" - }, { "title": "UAC Bypass Using Windows Media Player - Registry", "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", @@ -36823,9 +36766,9 @@ "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], "filename": "registry_set_add_port_monitor.yml" }, @@ -36943,10 +36886,10 @@ "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "Modification of Explorer Hidden Keys", + "title": "Displaying Hidden Files Feature Disabled", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -36957,7 +36900,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], "filename": "registry_set_hide_file.yml" }, @@ -36980,25 +36923,6 @@ ], "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, - { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" - }, { "title": "Tamper With Sophos AV Registry Keys", "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", @@ -37057,7 +36981,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -37071,7 +36995,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -37380,25 +37304,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -37541,10 +37446,10 @@ "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "PortProxy Registry Key", + "title": "New PortProxy Registry Entry Added", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", @@ -37558,7 +37463,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')" ], "filename": "registry_event_portproxy_registry_key.yml" }, @@ -37577,7 +37482,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], "filename": "registry_event_runonce_persistence.yml" }, @@ -37920,18 +37825,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -38840,7 +38745,7 @@ "title": "Files With System Process Name In Unsuspected Locations", "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -38850,9 +38755,9 @@ "System processes copied outside their default folders for testing purposes", "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], "filename": "file_event_win_creation_system_file.yml" }, @@ -39152,18 +39057,19 @@ "title": "EVTX Created In Uncommon Location", "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", "author": "D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ - "Administrator or backup activity" + "Administrator or backup activity", + "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))" ], "filename": "file_event_win_create_evtx_non_common_locations.yml" }, @@ -46678,6 +46584,25 @@ ], "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, + { + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml" + }, { "title": "Potential CVE-2022-26809 Exploitation Attempt", "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", @@ -47230,6 +47155,25 @@ ], "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -47267,6 +47211,65 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Lure Document Execution", + "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca", + "status": "experimental", + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')" + ], + "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation", + "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961", + "status": "experimental", + "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.persistence", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -47700,6 +47703,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -48255,6 +48280,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", @@ -48983,6 +49027,26 @@ ], "filename": "proc_creation_win_tasklist_basic_execution.yml" }, + { + "title": "CMD Shell Output Redirect", + "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "status": "test", + "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", + "author": "frack113", + "tags": [ + "attack.discovery", + "attack.t1082", + "detection.threat_hunting" + ], + "falsepositives": [ + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_cmd_redirect.yml" + }, { "title": "Curl.EXE Execution", "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", @@ -49331,6 +49395,26 @@ ], "filename": "registry_set_office_trusted_location.yml" }, + { + "title": "Service Binary in User Controlled Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "status": "experimental", + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "detection.threat_hunting" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND Details LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))" + ], + "filename": "registry_set_service_image_path_user_controlled_folder.yml" + }, { "title": "Shell Context Menu Command Tampering", "id": "868df2d1-0939-4562-83a7-27408c4a1ada", diff --git a/rules/rules_windows_sysmon_high.json b/rules/rules_windows_sysmon_high.json index 322ddd6..fd8a09f 100644 --- a/rules/rules_windows_sysmon_high.json +++ b/rules/rules_windows_sysmon_high.json @@ -6764,7 +6764,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -9352,7 +9352,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -16798,27 +16798,6 @@ ], "filename": "registry_set_fax_dll_persistance.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", @@ -16876,10 +16855,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -16890,12 +16869,12 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -16933,10 +16912,10 @@ "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -16947,7 +16926,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -16989,23 +16968,6 @@ ], "filename": "registry_set_office_disable_protected_view_features.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", @@ -17544,7 +17506,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -17658,7 +17620,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -17720,7 +17682,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -17735,7 +17697,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -17852,10 +17814,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -17866,11 +17828,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -18044,7 +18006,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -18160,10 +18122,10 @@ "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -18174,7 +18136,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -18449,25 +18411,6 @@ ], "filename": "registry_set_uac_bypass_wmp.yml" }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" - ], - "filename": "registry_set_add_port_monitor.yml" - }, { "title": "Suspicious Shim Database Patching Activity", "id": "bf344fea-d947-4ef4-9192-34d008315d3a", @@ -18601,7 +18544,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -18615,7 +18558,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -18789,25 +18732,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -19190,18 +19114,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -19583,26 +19507,6 @@ ], "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, - { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" - ], - "filename": "file_event_win_creation_system_file.yml" - }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", @@ -19783,25 +19687,6 @@ ], "filename": "file_event_win_wmiexec_default_filename.yml" }, - { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", - "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Administrator or backup activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" - ], - "filename": "file_event_win_create_evtx_non_common_locations.yml" - }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", @@ -26156,6 +26041,25 @@ ], "filename": "web_exploit_cve_2024_1709_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -26193,6 +26097,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -26602,6 +26526,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -27157,6 +27103,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", diff --git a/rules/rules_windows_sysmon_medium.json b/rules/rules_windows_sysmon_medium.json index b5720ae..1bb02d4 100644 --- a/rules/rules_windows_sysmon_medium.json +++ b/rules/rules_windows_sysmon_medium.json @@ -6532,6 +6532,24 @@ ], "filename": "proc_creation_win_findstr_lsass.yml" }, + { + "title": "Potentially Suspicious Electron Application CommandLine", + "id": "378a05d8-963c-46c9-bcce-13c7657eac99", + "status": "experimental", + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], + "falsepositives": [ + "Legitimate usage for debugging purposes" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_susp_electron_execution_proxy.yml" + }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", @@ -7595,24 +7613,6 @@ ], "filename": "proc_creation_win_pua_rclone_execution.yml" }, - { - "title": "Potentially Suspicious Electron Application CommandLine", - "id": "378a05d8-963c-46c9-bcce-13c7657eac99", - "status": "experimental", - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage for debugging purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))" - ], - "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml" - }, { "title": "HackTool - Quarks PwDump Execution", "id": "0685b176-c816-4837-8e7b-1216f346636b", @@ -14180,7 +14180,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, @@ -18479,7 +18479,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, @@ -22831,10 +22831,10 @@ "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { - "title": "Suspicious CMD Shell Output Redirect", + "title": "Potentially Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -22845,7 +22845,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, @@ -31276,27 +31276,6 @@ ], "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml" - }, { "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", @@ -31430,10 +31409,10 @@ "filename": "registry_set_persistence_outlook_homepage.yml" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -31444,7 +31423,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, @@ -31469,7 +31448,7 @@ "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -31510,7 +31489,7 @@ "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "author": "frack113", "tags": [ "attack.persistence", @@ -31523,7 +31502,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))" ], "filename": "registry_set_servicedll_hijack.yml" }, @@ -31567,10 +31546,10 @@ "filename": "registry_set_terminal_server_suspicious.yml" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -31581,7 +31560,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))" ], "filename": "registry_set_change_rdp_port.yml" }, @@ -31700,23 +31679,6 @@ ], "filename": "registry_set_disable_function_user.yml" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_mal_adwind.yml" - }, { "title": "DNS-over-HTTPS Enabled by Registry", "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", @@ -32490,7 +32452,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, @@ -32642,7 +32604,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, @@ -32762,7 +32724,7 @@ "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -32777,7 +32739,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "registry_set_timeproviders_dllname.yml" }, @@ -32835,7 +32797,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_administrative_share.yml" }, @@ -32967,7 +32929,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_defender_firewall.yml" }, @@ -33082,10 +33044,10 @@ "filename": "registry_set_persistence_typed_paths.yml" }, { - "title": "CobaltStrike Service Installations in Registry", + "title": "Potential CobaltStrike Service Installations - Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", @@ -33096,11 +33058,11 @@ "attack.t1569.002" ], "falsepositives": [ - "Unknown" + "Unlikely" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, @@ -33166,7 +33128,7 @@ "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" @@ -33176,7 +33138,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_persistence_ifilter.yml" }, @@ -33426,7 +33388,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, @@ -33636,10 +33598,10 @@ "filename": "registry_set_office_outlook_security_settings.yml" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -33650,7 +33612,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, @@ -34097,25 +34059,6 @@ ], "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, - { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" - ], - "filename": "registry_set_creation_service_uncommon_folder.yml" - }, { "title": "UAC Bypass Using Windows Media Player - Registry", "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", @@ -34168,9 +34111,9 @@ "falsepositives": [ "Unknown" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], "filename": "registry_set_add_port_monitor.yml" }, @@ -34288,10 +34231,10 @@ "filename": "registry_set_persistence_scrobj_dll.yml" }, { - "title": "Modification of Explorer Hidden Keys", + "title": "Displaying Hidden Files Feature Disabled", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -34302,7 +34245,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')" ], "filename": "registry_set_hide_file.yml" }, @@ -34325,25 +34268,6 @@ ], "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, - { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" - ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml" - }, { "title": "Tamper With Sophos AV Registry Keys", "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", @@ -34402,7 +34326,7 @@ "filename": "registry_set_winlogon_notify_key.yml" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -34416,7 +34340,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, @@ -34705,25 +34629,6 @@ ], "filename": "registry_event_silentprocessexit_lsass.yml" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "registry_event_mal_flowcloud.yml" - }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", @@ -34866,10 +34771,10 @@ "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { - "title": "PortProxy Registry Key", + "title": "New PortProxy Registry Entry Added", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", @@ -34883,7 +34788,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')" ], "filename": "registry_event_portproxy_registry_key.yml" }, @@ -34902,7 +34807,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], "filename": "registry_event_runonce_persistence.yml" }, @@ -35245,18 +35150,18 @@ "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ - "Unlikely" + "Unknown" ], - "level": "critical", + "level": "high", "rule": [ - "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, @@ -36108,7 +36013,7 @@ "title": "Files With System Process Name In Unsuspected Locations", "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -36118,9 +36023,9 @@ "System processes copied outside their default folders for testing purposes", "Third party software naming their software with the same names as the processes mentioned here" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], "filename": "file_event_win_creation_system_file.yml" }, @@ -36402,18 +36307,19 @@ "title": "EVTX Created In Uncommon Location", "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", "author": "D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ - "Administrator or backup activity" + "Administrator or backup activity", + "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" ], - "level": "high", + "level": "medium", "rule": [ - "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))" ], "filename": "file_event_win_create_evtx_non_common_locations.yml" }, @@ -43754,6 +43660,25 @@ ], "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml" }, + { + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml" + }, { "title": "Potential CVE-2022-26809 Exploitation Attempt", "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16", @@ -44306,6 +44231,25 @@ ], "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml" }, + { + "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection", + "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15", + "status": "experimental", + "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.initial_access", + "cve.2024.1212" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))" + ], + "filename": "web_exploit_cve_2024_1212_.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -44343,6 +44287,65 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential KamiKakaBot Activity - Lure Document Execution", + "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca", + "status": "experimental", + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')" + ], + "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')" + ], + "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml" + }, + { + "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation", + "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961", + "status": "experimental", + "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.persistence", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + ], + "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -44776,6 +44779,28 @@ ], "filename": "proc_creation_win_exploit_cve_2020_1048.yml" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))" + ], + "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -45331,6 +45356,25 @@ ], "filename": "proc_creation_win_malware_blue_mockingbird.yml" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "registry_event_malware_flowcloud_markers.yml" + }, { "title": "Trickbot Malware Activity", "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", @@ -46034,6 +46078,26 @@ ], "filename": "registry_set_office_trusted_location.yml" }, + { + "title": "Service Binary in User Controlled Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "status": "experimental", + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "detection.threat_hunting" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND Details LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))" + ], + "filename": "registry_set_service_image_path_user_controlled_folder.yml" + }, { "title": "Non-DLL Extension File Renamed With DLL Extension", "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", diff --git a/rules/rules_windows_sysmon_pysigma.json b/rules/rules_windows_sysmon_pysigma.json index ac92af8..26d3100 100644 --- a/rules/rules_windows_sysmon_pysigma.json +++ b/rules/rules_windows_sysmon_pysigma.json @@ -800,29 +800,6 @@ ], "filename": "" }, - { - "title": "CobaltStrike Service Installations in Registry", - "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "status": "test", - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "author": "Wojciech Lesicki", - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\'))))" - ], - "filename": "" - }, { "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", "id": "55e29995-75e7-451a-bef0-6225e2f13597", @@ -842,25 +819,6 @@ ], "filename": "" }, - { - "title": "FlowCloud Malware", - "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "status": "test", - "description": "Detects FlowCloud malware from threat group TA410.", - "author": "NVISO", - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "falsepositives": [ - "Unknown" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" - ], - "filename": "" - }, { "title": "OilRig APT Registry Persistence", "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", @@ -1005,25 +963,6 @@ ], "filename": "" }, - { - "title": "Security Support Provider (SSP) Added to LSA Configuration", - "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "status": "test", - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "author": "iwillkeepwatch", - "tags": [ - "attack.persistence", - "attack.t1547.005" - ], - "falsepositives": [ - "Unlikely" - ], - "level": "critical", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" - ], - "filename": "" - }, { "title": "Pandemic Registry Key", "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", @@ -3183,6 +3122,25 @@ ], "filename": "" }, + { + "title": "FlowCloud Registry Markers", + "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "status": "test", + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "author": "NVISO", + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" + ], + "filename": "" + }, { "title": "Malicious Driver Load", "id": "05296024-fe8a-4baf-8f3d-9a5f5624ceb2", @@ -9614,7 +9572,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))" ], "filename": "" }, @@ -12164,7 +12122,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))" ], "filename": "" }, @@ -19275,27 +19233,6 @@ ], "filename": "" }, - { - "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "status": "test", - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "falsepositives": [ - "New printer port install on host" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\')))" - ], - "filename": "" - }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", @@ -19353,10 +19290,10 @@ "filename": "" }, { - "title": "Disable Sysmon Event Logging Via Registry", + "title": "Sysmon Driver Altitude Change", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "author": "B.Talebi", "tags": [ "attack.defense_evasion", @@ -19367,12 +19304,12 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))" ], "filename": "" }, { - "title": "Office Macros Auto-Enabled", + "title": "Office Macros Warning Disabled", "id": "91239011-fe3c-4b54-9f24-15c86bb65913", "status": "test", "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", @@ -19410,10 +19347,10 @@ "filename": "" }, { - "title": "Changing RDP Port to Non Standard Number", + "title": "Default RDP Port Changed to Non Standard Port", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", @@ -19424,7 +19361,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT Details='DWORD (0x00000d3d)')))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT Details='DWORD (0x00000d3d)')))" ], "filename": "" }, @@ -19466,24 +19403,6 @@ ], "filename": "" }, - { - "title": "Adwind RAT / JRAT - Registry", - "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "status": "experimental", - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "falsepositives": [], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\'))" - ], - "filename": "" - }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", @@ -20022,7 +19941,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND (NOT (Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))))" ], "filename": "" }, @@ -20136,7 +20055,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details='DWORD (0x00000000)') AND (NOT (Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (Image='' OR Image IS NULL))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details='DWORD (0x00000000)') AND (NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (Image='' OR Image IS NULL))))" ], "filename": "" }, @@ -20198,7 +20117,7 @@ "filename": "" }, { - "title": "Set TimeProviders DllName", + "title": "New TimeProviders Registered With Uncommon DLL Name", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", @@ -20213,7 +20132,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND (NOT Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\')))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND (NOT (Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))" ], "filename": "" }, @@ -20329,6 +20248,29 @@ ], "filename": "" }, + { + "title": "Potential CobaltStrike Service Installations - Registry", + "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "status": "test", + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", + "author": "Wojciech Lesicki", + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "RDP Sensitive Settings Changed", "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", @@ -20499,7 +20441,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details='Service') AND (NOT (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details='Service') AND (NOT (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))" ], "filename": "" }, @@ -20615,10 +20557,10 @@ "filename": "" }, { - "title": "Change Winevt Event Access Permission Via Registry", + "title": "Change Winevt Channel Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -20629,7 +20571,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND (NOT (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND (NOT (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))))" ], "filename": "" }, @@ -20904,25 +20846,6 @@ ], "filename": "" }, - { - "title": "Add Port Monitor Persistence in Registry", - "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "status": "experimental", - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "author": "frack113", - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "falsepositives": [ - "Unknown" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND (NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))" - ], - "filename": "" - }, { "title": "Suspicious Shim Database Patching Activity", "id": "bf344fea-d947-4ef4-9192-34d008315d3a", @@ -21056,7 +20979,7 @@ "filename": "" }, { - "title": "Windows Defender Service Disabled", + "title": "Windows Defender Service Disabled - Registry", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", @@ -21070,7 +20993,7 @@ ], "level": "high", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details='DWORD (0x00000004)'))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details='DWORD (0x00000004)'))" ], "filename": "" }, @@ -21460,6 +21383,25 @@ ], "filename": "" }, + { + "title": "Security Support Provider (SSP) Added to LSA Configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "test", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", + "author": "iwillkeepwatch", + "tags": [ + "attack.persistence", + "attack.t1547.005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "WINEKEY Registry Modification", "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", @@ -21698,26 +21640,6 @@ ], "filename": "" }, - { - "title": "Files With System Process Name In Unsuspected Locations", - "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "status": "test", - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "falsepositives": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))))" - ], - "filename": "" - }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", @@ -21879,25 +21801,6 @@ ], "filename": "" }, - { - "title": "EVTX Created In Uncommon Location", - "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", - "status": "experimental", - "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", - "author": "D3F7A5105", - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "falsepositives": [ - "Administrator or backup activity" - ], - "level": "high", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\')))))" - ], - "filename": "" - }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", @@ -26586,6 +26489,26 @@ ], "filename": "" }, + { + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence", + "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf", + "status": "experimental", + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior", + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND (Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Potential Raspberry Robin CPL Execution Activity", "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81", @@ -26837,6 +26760,28 @@ ], "filename": "" }, + { + "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry", + "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "status": "test", + "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n", + "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112", + "cve.2020.1048" + ], + "falsepositives": [ + "New printer port install on host" + ], + "level": "high", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "CVE-2020-0688 Exploitation Attempt", "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", @@ -29611,25 +29556,6 @@ ], "filename": "" }, - { - "title": "CMD Shell Output Redirect", - "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "status": "test", - "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", - "author": "frack113", - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "falsepositives": [ - "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" - ], - "level": "low", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" - ], - "filename": "" - }, { "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", "id": "bab049ca-7471-4828-9024-38279a4c04da", @@ -30630,6 +30556,25 @@ ], "filename": "" }, + { + "title": "MaxMpxCt Registry Value Changed", + "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e", + "status": "experimental", + "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "falsepositives": [ + "Unknown" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')" + ], + "filename": "" + }, { "title": "New ODBC Driver Registered", "id": "3390fbef-c98d-4bdd-a863-d65ed7c610dd", @@ -31210,6 +31155,26 @@ ], "filename": "" }, + { + "title": "CMD Shell Output Redirect", + "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "status": "test", + "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", + "author": "frack113", + "tags": [ + "attack.discovery", + "attack.t1082", + "detection.threat_hunting" + ], + "falsepositives": [ + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" + ], + "level": "low", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "Curl.EXE Execution", "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", @@ -35088,6 +35053,24 @@ ], "filename": "" }, + { + "title": "Potentially Suspicious Electron Application CommandLine", + "id": "378a05d8-963c-46c9-bcce-13c7657eac99", + "status": "experimental", + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.execution" + ], + "falsepositives": [ + "Legitimate usage for debugging purposes" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", @@ -35612,24 +35595,6 @@ ], "filename": "" }, - { - "title": "Potentially Suspicious Electron Application CommandLine", - "id": "378a05d8-963c-46c9-bcce-13c7657eac99", - "status": "experimental", - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", - "tags": [ - "attack.execution" - ], - "falsepositives": [ - "Legitimate usage for debugging purposes" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))" - ], - "filename": "" - }, { "title": "Remote Access Tool - NetSupport Execution", "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", @@ -42695,10 +42660,10 @@ "filename": "" }, { - "title": "Suspicious CMD Shell Output Redirect", + "title": "Potentially Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", @@ -42709,7 +42674,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))" ], "filename": "" }, @@ -46211,7 +46176,7 @@ "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "author": "frack113", "tags": [ "attack.persistence", @@ -46224,7 +46189,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')) AND (NOT (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\'))))" ], "filename": "" }, @@ -46691,7 +46656,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details='DWORD (0x00000000)'))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND Details='DWORD (0x00000000)'))" ], "filename": "" }, @@ -46767,7 +46732,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details='DWORD (0x00000000)'))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details='DWORD (0x00000000)'))" ], "filename": "" }, @@ -46867,7 +46832,7 @@ "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", - "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" @@ -46877,7 +46842,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))" ], "filename": "" }, @@ -47284,40 +47249,40 @@ "filename": "" }, { - "title": "Service Binary in Uncommon Folder", - "id": "277dc340-0540-42e7-8efb-5ff460045e07", - "status": "experimental", - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "author": "Florian Roth (Nextron Systems)", + "title": "Windows Defender Exclusions Added - Registry", + "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "status": "test", + "description": "Detects the Setting of Windows Defender Exclusions", + "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", - "attack.t1112" + "attack.t1562.001" ], "falsepositives": [ - "Unknown" + "Administrator actions" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND (Details='DWORD (0x00000000)' OR Details='DWORD (0x00000001)' OR Details='DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND (NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], "filename": "" }, { - "title": "Windows Defender Exclusions Added - Registry", - "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "status": "test", - "description": "Detects the Setting of Windows Defender Exclusions", - "author": "Christian Burkard (Nextron Systems)", + "title": "Add Port Monitor Persistence in Registry", + "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "status": "experimental", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "author": "frack113", "tags": [ - "attack.defense_evasion", - "attack.t1562.001" + "attack.persistence", + "attack.t1547.010" ], "falsepositives": [ - "Administrator actions" + "Unknown" ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND (NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))" ], "filename": "" }, @@ -47379,10 +47344,10 @@ "filename": "" }, { - "title": "Modification of Explorer Hidden Keys", + "title": "Displaying Hidden Files Feature Disabled", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "author": "frack113", "tags": [ "attack.defense_evasion", @@ -47393,26 +47358,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details='DWORD (0x00000000)'))" - ], - "filename": "" - }, - { - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "status": "test", - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "author": "Sittikorn S", - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "falsepositives": [ - "Unknown" - ], - "level": "medium", - "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details='DWORD (0x00000000)'))" ], "filename": "" }, @@ -47570,10 +47516,10 @@ "filename": "" }, { - "title": "PortProxy Registry Key", + "title": "New PortProxy Registry Entry Added", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", @@ -47587,7 +47533,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')" ], "filename": "" }, @@ -47606,7 +47552,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))" + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((Details LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))" ], "filename": "" }, @@ -48136,6 +48082,26 @@ ], "filename": "" }, + { + "title": "Files With System Process Name In Unsuspected Locations", + "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "status": "test", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "falsepositives": [ + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT ((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))))" + ], + "filename": "" + }, { "title": "TeamViewer Remote Session", "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", @@ -48230,6 +48196,26 @@ ], "filename": "" }, + { + "title": "EVTX Created In Uncommon Location", + "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "status": "experimental", + "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", + "author": "D3F7A5105", + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "falsepositives": [ + "Administrator or backup activity", + "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))))" + ], + "filename": "" + }, { "title": "Potential Webshell Creation On Static Website", "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", @@ -49643,6 +49629,25 @@ ], "filename": "" }, + { + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "status": "test", + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "author": "Sittikorn S", + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" + ], + "filename": "" + }, { "title": "Zimbra Collaboration Suite Email Server Unauthenticated RCE", "id": "dd218fb6-4d02-42dc-85f0-a0a376072efd", @@ -49743,6 +49748,45 @@ ], "filename": "" }, + { + "title": "Potential KamiKakaBot Activity - Lure Document Execution", + "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca", + "status": "experimental", + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\') AND CommandLine LIKE '%.doc' ESCAPE '\\'))" + ], + "filename": "" + }, + { + "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation", + "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961", + "status": "experimental", + "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", + "tags": [ + "attack.persistence", + "detection.emerging_threats" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\')) AND (NOT (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" + ], + "filename": "" + }, { "title": "Exploit for CVE-2017-0261", "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", @@ -50450,6 +50494,26 @@ ], "filename": "" }, + { + "title": "Service Binary in User Controlled Folder", + "id": "277dc340-0540-42e7-8efb-5ff460045e07", + "status": "experimental", + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "detection.threat_hunting" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND Details LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND (Details LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\'))))))" + ], + "filename": "" + }, { "title": "Non-DLL Extension File Renamed With DLL Extension", "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", diff --git a/templates/exportForZircoGui.tmpl b/templates/exportForZircoGui.tmpl index 2ecd5f9..a9e1686 100644 --- a/templates/exportForZircoGui.tmpl +++ b/templates/exportForZircoGui.tmpl @@ -228,7 +228,7 @@ var dictData = {}; dictData["reconnaissance"] = ReconnaissanceData; dictData["resource_development"] = ResourceDevelopmentData; dictData["initial_access"] = InitialAccessData; -dictData["execution"] = ExfiltrationData; +dictData["execution"] = ExecutionData; dictData["persistence"] = PersistenceData; dictData["privilege_escalation"] = PrivilegeEscalationData; dictData["defense_evasion"] = DefenseEvasionData;