diff --git a/Makefile b/Makefile index 4c606b1..73c6260 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ DOCKER?=docker DOCKER_BUILD_FLAGS?= DOCKER_REGISTRY?=docker.io -DOCKER_TAG?=1.2.5 +DOCKER_TAG?=1.4.0 define HELP_MENU Usage: make [] [ ...] diff --git a/Readme.md b/Readme.md index 8897007..16b1d05 100644 --- a/Readme.md +++ b/Readme.md @@ -57,6 +57,7 @@ python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json Some EVTX files are not used by SIGMA rules but can become quite large (`Microsoft-Windows-SystemDataArchiver%4Diagnostic.evtx` etc.), if you use Zircolite with directory as input argument, all EVTX files will be converted, saved and matched against the SIGMA Rules. To speed up the detection process, you may want to use Zircolite on files matching or not matching a specific pattern. For that you can use **filters** provided by the two command line arguments : + - `-s` or `--select` : select files partly matching the provided a string (case insensitive) - `-a` or `--avoid` : exclude files partly matching the provided a string (case insensitive) @@ -73,7 +74,7 @@ python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ ``` -For example, the **Sysmon** ruleset available in the `rules` directory only use the following channels (names have been shortened) : Sysmon, Security, System, Powershell, Defender, AppLocker, DriverFrameworks, Application, NTLM, DNS, MSexchange, WMI-activity, TaskScheduler. So if you use the sysmon ruleset with the following rules, you should speed up `Zircolite`execution : +For example, the **Sysmon** ruleset available in the `rules` directory only use the following channels (names have been shortened) : *Sysmon, Security, System, Powershell, Defender, AppLocker, DriverFrameworks, Application, NTLM, DNS, MSexchange, WMI-activity, TaskScheduler*. So if you use the sysmon ruleset with the following rules, you should speed up `Zircolite`execution : ```shell python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ @@ -86,6 +87,25 @@ python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ :information_source: the "select" argument is always applied first and then the "avoid" argument is applied. So, it is possible to exclude files from included files but not the opposite. +### Date filtering + +Sometimes you want to work on a selected time range to speed up analysis. With Zircolite, it is possible to filter on specific time range just by using the `--after` and `--before` and their respective shorter versions `-A` and `-B`. The filter will apply on the `SystemTime` field of each event : + +```shell +python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \ +-A 2021-06-02T22:40:00 -B 2021-06-02T23:00:00 +``` + +The `--after` and `--before` arguments can be used independantly. + +### Rule filtering + +Some rules can be noisy or slow on specific datasets (check [here](rules/Readme.md)) so it is possible to skip stop by using the `-R` or `--rulefilter` argument. The filter will apply on the rule title. Since there is a CRC32 in the rule title it is easiers to use it : + +```shell +python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json -R BFFA7F72 +``` + ### Templating Zircolite provides a templating system based on Jinja 2. It allows you to change the output format to suits your needs (Splunk or ELK integration, Grep-able output...). To use the template system, use these arguments : diff --git a/rules/Readme.md b/rules/Readme.md index 19ae26c..064d68c 100644 --- a/rules/Readme.md +++ b/rules/Readme.md @@ -1,8 +1,22 @@ # Rulesets +## Default rulesets + These rulesets have been generated with `genRules.py` wich is available in the folder `tools` of the Zircolite repository. :warning: **These rulesets are given "as is" to help new analysts to discover SIGMA and Zircolite. They are not filtered for slow rules, rules with a lot of false positives etc. If you know what you do, you MUST generate your own rulesets.** - `rules_windows_generic.json` : Full SIGMA "**Windows**" ruleset (no SYSMON rewriting) - `rules_windows_sysmon.json` : Full SIGMA "**Windows**" ruleset (SYSMON) + +## Why you should make your own rulesets + +The default rulesets provided are the conversion of the rules located in `rules/windows` directory of the Sigma repository. You should take into account that : + +- **Some rules are very noisy or produce a lot of false positives** depending on your environnement or the config file you used with genRules +- **Some rules can be very slow** depending on your logs + +For example : + +- "Suspicious Eventlog Clear or Configuration Using Wevtutil" : **very noisy** on fresh environnement (labs etc.), commonly generate a lot of useless detection +- Notepad Making Network Connection : **can slow very significantly** the execution of Zircolite diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json index d056fd2..e44bd9e 100644 --- a/rules/rules_windows_generic.json +++ b/rules/rules_windows_generic.json @@ -857,7 +857,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND (ScriptBlockText LIKE \"%Remove-SmbShare%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Remove-FileShare%\" ESCAPE '\\'))" ] }, - {}, { "title": "Suspicious PowerShell Keywords - 85E21715", "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", @@ -885,7 +884,6 @@ "SELECT * FROM (SELECT *,count(ScriptBlockText) AS agg FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND (ScriptBlockText LIKE \"%CL\\_Mutexverifiers.ps1%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%runAfterCancelProcess%\" ESCAPE '\\')) GROUP BY Computer) WHERE agg > 2" ] }, - {}, { "title": "Tamper Windows Defender - D4995280", "description": "Attempting to disable scheduled scanning and other parts of windows defender atp.", @@ -899,7 +897,6 @@ "SELECT * FROM logs WHERE (EventID = \"600\" AND HostApplication LIKE \"%Set-MpPreference%\" ESCAPE '\\' AND (HostApplication LIKE \"%-DisableRealtimeMonitoring 1%\" ESCAPE '\\' OR HostApplication LIKE \"%-DisableBehaviorMonitoring 1%\" ESCAPE '\\' OR HostApplication LIKE \"%-DisableScriptScanning 1%\" ESCAPE '\\' OR HostApplication LIKE \"%-DisableBlockAtFirstSeen 1%\" ESCAPE '\\'))" ] }, - {}, { "title": "Execution via CL_Invocation.ps1 (2 Lines) - F4EB7F20", "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", @@ -927,7 +924,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND (EventID = \"4104\" AND (ScriptBlockText LIKE \"%Invoke-DllInjection%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Shellcode%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-WmiCommand%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-GPPPassword%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-Keystrokes%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-TimedScreenshot%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-VaultCredential%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-CredentialInjection%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Mimikatz%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-NinjaCopy%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-TokenManipulation%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Out-Minidump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%VolumeShadowCopyTools%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ReflectivePEInjection%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-UserHunter%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Find-GPOLocation%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ACLScanner%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-DowngradeAccount%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ServiceUnquoted%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ServiceFilePermission%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ServicePermission%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ServiceAbuse%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Install-ServiceBinary%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-RegAutoLogon%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-VulnAutoRun%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-VulnSchTask%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-UnattendedInstallFile%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ApplicationHost%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-RegAlwaysInstallElevated%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-Unconstrained%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-RegBackdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-ScrnSaveBackdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Gupt-Backdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ADSBackdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Enabled-DuplicateToken%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PsUaCme%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Remove-Update%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Check-VM%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-LSASecret%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-PassHashes%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Show-TargetScreen%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Port-Scan%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PoshRatHttp%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PowerShellTCP%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PowerShellWMI%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-Exfiltration%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-Persistence%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Do-Exfiltration%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Start-CaptureServer%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ChromeDump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ClipboardContents%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-FoxDump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-IndexedItem%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-Screenshot%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Inveigh%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-NetRipper%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-EgressCheck%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PostExfil%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PSInject%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-RunAs%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%MailRaider%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%New-HoneyHash%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Set-MacAttribute%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-DCSync%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PowerDump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Exploit-Jboss%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ThunderStruck%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-VoiceTroll%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Set-Wallpaper%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-InveighRelay%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PsExec%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-SSHCommand%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-SecurityPackages%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Install-SSP%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-BackdoorLNK%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%PowerBreach%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-SiteListPassword%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-System%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-BypassUAC%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Tater%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-WScriptBypassUAC%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%PowerUp%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%PowerView%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-RickAstley%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Find-Fruit%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%HTTP-Login%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Find-TrustedDocuments%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Paranoia%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-WinEnum%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ARPScan%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PortScan%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ReverseDNSLookup%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-SMBScanner%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Mimikittenz%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-AllChecks%\" ESCAPE '\\')) AND NOT (EventID = \"4104\" AND (ScriptBlockText LIKE \"%Get-SystemDriveInfo%\" ESCAPE '\\')))" ] }, - {}, { "title": "Encoded PowerShell Command Line - E425013A", "description": "Detects specific combinations of encoding methods in the PowerShell command lines", @@ -943,7 +939,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\powershell.exe\" ESCAPE '\\' AND ((((EventID = \"4688\" AND Channel = \"Security\" AND (CommandLine LIKE \"%ToInt%\" ESCAPE '\\' OR CommandLine LIKE \"%ToDecimal%\" ESCAPE '\\' OR CommandLine LIKE \"%ToByte%\" ESCAPE '\\' OR CommandLine LIKE \"%ToUint%\" ESCAPE '\\' OR CommandLine LIKE \"%ToSingle%\" ESCAPE '\\' OR CommandLine LIKE \"%ToSByte%\" ESCAPE '\\') AND (CommandLine LIKE \"%ToChar%\" ESCAPE '\\' OR CommandLine LIKE \"%ToString%\" ESCAPE '\\' OR CommandLine LIKE \"%String%\" ESCAPE '\\')) OR (CommandLine LIKE \"%char%\" ESCAPE '\\' AND CommandLine LIKE \"%join%\" ESCAPE '\\')) OR (CommandLine LIKE \"%split%\" ESCAPE '\\' AND CommandLine LIKE \"%join%\" ESCAPE '\\')) OR (CommandLine LIKE \"%ForEach%\" ESCAPE '\\' AND CommandLine LIKE \"%Xor%\" ESCAPE '\\') OR (CommandLine LIKE \"%cOnvErTTO-SECUreStRIng%\" ESCAPE '\\')))" ] }, - {}, { "title": "Windows PowerShell Web Request - B5C01B78", "description": "Detects the use of various web request methods (including aliases) via Windows PowerShell", @@ -974,7 +969,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND (ScriptBlockText LIKE \"%WMImplant%\" ESCAPE '\\' OR ScriptBlockText LIKE \"% change\\_user %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% gen\\_cli %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% command\\_exec %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% disable\\_wdigest %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% disable\\_winrm %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% enable\\_wdigest %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% enable\\_winrm %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% registry\\_mod %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% remote\\_posh %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% sched\\_job %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% service\\_mod %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% process\\_kill %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% active\\_users %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% basic\\_info %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% power\\_off %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% vacant\\_system %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% logon\\_events %\" ESCAPE '\\'))" ] }, - {}, { "title": "Remote PowerShell Session - 56A62BF2", "description": "Detects remote PowerShell sessions", @@ -1007,8 +1001,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND (Message LIKE \"%PromptForCredential%\" ESCAPE '\\'))" ] }, - {}, - {}, { "title": "PowerShell Called from an Executable Version Mismatch - 6011C4B2", "description": "Detects PowerShell called from an executable by the version mismatch method", @@ -1024,8 +1016,6 @@ "SELECT * FROM logs WHERE (Channel = \"Windows PowerShell\" AND EventID = \"400\" AND (EngineVersion LIKE \"2.%\" ESCAPE '\\' OR EngineVersion LIKE \"4.%\" ESCAPE '\\' OR EngineVersion LIKE \"5.%\" ESCAPE '\\') AND HostVersion LIKE \"3.%\" ESCAPE '\\')" ] }, - {}, - {}, { "title": "Accessing WinAPI in PowerShell - 806E6935", "description": "Detecting use WinAPI Functions in PowerShell", @@ -1099,7 +1089,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\powershell.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%hctac%\" ESCAPE '\\' OR CommandLine LIKE \"%kearb%\" ESCAPE '\\' OR CommandLine LIKE \"%dnammoc%\" ESCAPE '\\' OR CommandLine LIKE \"%ekovn%\" ESCAPE '\\' OR CommandLine LIKE \"%eliFd%\" ESCAPE '\\' OR CommandLine LIKE \"%rahc%\" ESCAPE '\\' OR CommandLine LIKE \"%etirw%\" ESCAPE '\\' OR CommandLine LIKE \"%golon%\" ESCAPE '\\' OR CommandLine LIKE \"%tninon%\" ESCAPE '\\' OR CommandLine LIKE \"%eddih%\" ESCAPE '\\' OR CommandLine LIKE \"%tpircS%\" ESCAPE '\\' OR CommandLine LIKE \"%ssecorp%\" ESCAPE '\\' OR CommandLine LIKE \"%llehsrewop%\" ESCAPE '\\' OR CommandLine LIKE \"%esnopser%\" ESCAPE '\\' OR CommandLine LIKE \"%daolnwod%\" ESCAPE '\\' OR CommandLine LIKE \"%tneilCbeW%\" ESCAPE '\\' OR CommandLine LIKE \"%tneilc%\" ESCAPE '\\' OR CommandLine LIKE \"%ptth%\" ESCAPE '\\' OR CommandLine LIKE \"%elifotevas%\" ESCAPE '\\' OR CommandLine LIKE \"%46esab%\" ESCAPE '\\' OR CommandLine LIKE \"%htaPpmeTteG%\" ESCAPE '\\' OR CommandLine LIKE \"%tcejbO%\" ESCAPE '\\' OR CommandLine LIKE \"%maerts%\" ESCAPE '\\' OR CommandLine LIKE \"%hcaerof%\" ESCAPE '\\' OR CommandLine LIKE \"%ekovni%\" ESCAPE '\\' OR CommandLine LIKE \"%retupmoc%\" ESCAPE '\\'))" ] }, - {}, { "title": "Accessing WinAPI in PowerShell. Code Injection. - 58AA62BD", "description": "Detecting Code injection with PowerShell in another process", @@ -1154,7 +1143,6 @@ "SELECT * FROM logs WHERE (Channel = \"Windows PowerShell\" AND CommandLine LIKE \"%Get-WmiObject%\" ESCAPE '\\' AND CommandLine LIKE \"% Win32\\_Shadowcopy%\" ESCAPE '\\' AND (CommandLine LIKE \"%Delete()%\" ESCAPE '\\' OR CommandLine LIKE \"%Remove-WmiObject%\" ESCAPE '\\') AND EventID IN (\"400\", \"403\", \"600\"))" ] }, - {}, { "title": "PowerShell Get Clipboard - 7E2C33D4", "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", @@ -1212,7 +1200,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND ((Message LIKE \"%-nop%\" ESCAPE '\\' AND Message LIKE \"% -w %\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"% -c %\" ESCAPE '\\' AND Message LIKE \"%[Convert]::FromBase64String%\" ESCAPE '\\') OR (Message LIKE \"% -w %\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"%-noni%\" ESCAPE '\\' AND Message LIKE \"%-nop%\" ESCAPE '\\' AND Message LIKE \"% -c %\" ESCAPE '\\' AND Message LIKE \"%iex%\" ESCAPE '\\' AND Message LIKE \"%New-Object%\" ESCAPE '\\') OR (Message LIKE \"% -w %\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"%-ep%\" ESCAPE '\\' AND Message LIKE \"%bypass%\" ESCAPE '\\' AND Message LIKE \"%-Enc%\" ESCAPE '\\') OR (Message LIKE \"%powershell%\" ESCAPE '\\' AND Message LIKE \"%reg%\" ESCAPE '\\' AND Message LIKE \"%add%\" ESCAPE '\\' AND Message LIKE \"%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%\" ESCAPE '\\') OR (Message LIKE \"%bypass%\" ESCAPE '\\' AND Message LIKE \"%-noprofile%\" ESCAPE '\\' AND Message LIKE \"%-windowstyle%\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"%new-object%\" ESCAPE '\\' AND Message LIKE \"%system.net.webclient%\" ESCAPE '\\' AND Message LIKE \"%.download%\" ESCAPE '\\') OR (Message LIKE \"%iex%\" ESCAPE '\\' AND Message LIKE \"%New-Object%\" ESCAPE '\\' AND Message LIKE \"%Net.WebClient%\" ESCAPE '\\' AND Message LIKE \"%.Download%\" ESCAPE '\\')))" ] }, - {}, { "title": "Data Compressed - Powershell - 3F9D62AF", "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", @@ -1227,7 +1214,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND keywords LIKE \"%-Recurse%\" ESCAPE '\\' AND keywords LIKE \"%|%\" ESCAPE '\\' AND keywords LIKE \"%Compress-Archive%\" ESCAPE '\\')" ] }, - {}, { "title": "PowerShell Get-Process LSASS in ScriptBlock - 5164F399", "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", @@ -1296,7 +1282,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND ScriptBlockText IN (\"Export-PowerViewCSV\", \"Resolve-IPAddress\", \"ConvertTo-SID\", \"Convert-ADName\", \"ConvertFrom-UACValue\", \"Add-RemoteConnection\", \"Remove-RemoteConnection\", \"Invoke-UserImpersonation\", \"Invoke-RevertToSelf\", \"Get-DomainSPNTicket\", \"Invoke-Kerberoast\", \"Get-PathAcl\", \"Get-DomainDNSZone\", \"Get-DomainDNSRecord\", \"Get-Domain\", \"Get-DomainController\", \"Get-Forest\", \"Get-ForestDomain\", \"Get-ForestGlobalCatalog\", \"Find-DomainObjectPropertyOutlier-\", \"Get-DomainUser\", \"New-DomainUser\", \"Set-DomainUserPassword\", \"Get-DomainUserEvent\", \"Get-DomainComputer\", \"Get-DomainObject\", \"Set-DomainObject\", \"Get-DomainObjectAcl\", \"Add-DomainObjectAcl\", \"Find-InterestingDomainAcl\", \"Get-DomainOU\", \"Get-DomainSite\", \"Get-DomainSubnet\", \"Get-DomainSID\", \"Get-DomainGroup\", \"New-DomainGroup\", \"Get-DomainManagedSecurityGroup\", \"Get-DomainGroupMember\", \"Add-DomainGroupMember\", \"Get-DomainFileServer\", \"Get-DomainDFSShare\", \"Get-DomainGPO\", \"Get-DomainGPOLocalGroup\", \"Get-DomainGPOUserLocalGroupMapping\", \"Get-DomainGPOComputerLocalGroupMapping\", \"Get-DomainPolicy\", \"Get-NetLocalGroup\", \"Get-NetLocalGroupMember\", \"Get-NetShare\", \"Get-NetLoggedon\", \"Get-NetSession\", \"Get-RegLoggedOn\", \"Get-NetRDPSession\", \"Test-AdminAccess\", \"Get-NetComputerSiteName\", \"Get-WMIRegProxy\", \"Get-WMIRegLastLoggedOn\", \"Get-WMIRegCachedRDPConnection\", \"Get-WMIRegMountedDrive\", \"Get-WMIProcess\", \"Find-InterestingFile\", \"Find-DomainUserLocation\", \"Find-DomainProcess\", \"Find-DomainUserEvent\", \"Find-DomainShare\", \"Find-InterestingDomainShareFile\", \"Find-LocalAdminAccess\", \"Find-DomainLocalGroupMember\", \"Get-DomainTrust\", \"Get-ForestTrust\", \"Get-DomainForeignUser\", \"Get-DomainForeignGroupMember\", \"Get-DomainTrustMapping\"))" ] }, - {}, { "title": "Winlogon Helper DLL - B2ABCE2F", "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.", @@ -1594,7 +1579,6 @@ "SELECT * FROM logs WHERE ((NewProcessName LIKE \"%\\\\wscript.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\cscript.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\mshta.exe\" ESCAPE '\\') AND (ImageLoaded LIKE \"%\\\\clr.dll\" ESCAPE '\\' OR ImageLoaded LIKE \"%\\\\mscoree.dll\" ESCAPE '\\' OR ImageLoaded LIKE \"%\\\\mscorlib.dll\" ESCAPE '\\'))" ] }, - {}, { "title": "Active Directory Kerberos DLL Loaded Via Office Applications - 921E8367", "description": "Detects Kerberos DLL being loaded by an Office Product", @@ -2847,6 +2831,20 @@ "SELECT * FROM logs WHERE (EventID = \"4657\" AND OperationType IN (\"New registry value created\", \"Existing registry value modified\") AND Channel = \"Security\" AND TargetObject LIKE \"%\\\\Software\\\\Sysinternals\\\\SDelete%\" ESCAPE '\\')" ] }, + { + "title": "New TaskCache Entry - 44F63F4B", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], + "author": "Syed Hasan (@syedhasan009)", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"4657\" AND OperationType IN (\"New registry value created\", \"Existing registry value modified\") AND Channel = \"Security\" AND TargetObject LIKE \"%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%\" ESCAPE '\\')" + ] + }, { "title": "RDP Sensitive Settings Changed - 910E9290", "description": "Detects changes to RDP terminal service sensitive settings", @@ -2919,7 +2917,6 @@ "SELECT * FROM logs WHERE (TargetImage LIKE \"C:\\\\Windows\\\\System32\\\\lsass.exe\" ESCAPE '\\' AND StartModule = \"\")" ] }, - {}, { "title": "CreateRemoteThread API and LoadLibrary - DA07CE53", "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", @@ -2974,7 +2971,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\at.exe\" ESCAPE '\\' AND CommandLine LIKE \"%interactive%\" ESCAPE '\\')" ] }, - {}, { "title": "WMI Persistence - Script Event Consumer - AEE69F79", "description": "Detects WMI script event consumers", @@ -3122,7 +3118,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\wmic.exe\" ESCAPE '\\' AND ((CommandLine LIKE \"%/NODE:%\" ESCAPE '\\' AND CommandLine LIKE \"%process%\" ESCAPE '\\' AND CommandLine LIKE \"%call%\" ESCAPE '\\' AND CommandLine LIKE \"%create %\" ESCAPE '\\') OR (CommandLine LIKE \"% path %\" ESCAPE '\\' AND (CommandLine LIKE \"%AntiVirus%\" ESCAPE '\\' OR CommandLine LIKE \"%Firewall%\" ESCAPE '\\') AND CommandLine LIKE \"%Product%\" ESCAPE '\\' AND CommandLine LIKE \"% get %\" ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\wmic.exe\" ESCAPE '\\' AND ((CommandLine LIKE \"%process%\" ESCAPE '\\' AND CommandLine LIKE \"%call%\" ESCAPE '\\' AND CommandLine LIKE \"%create %\" ESCAPE '\\') OR (CommandLine LIKE \"% path %\" ESCAPE '\\' AND (CommandLine LIKE \"%AntiVirus%\" ESCAPE '\\' OR CommandLine LIKE \"%Firewall%\" ESCAPE '\\') AND CommandLine LIKE \"%Product%\" ESCAPE '\\' AND CommandLine LIKE \"% get %\" ESCAPE '\\')))" ] }, { @@ -3224,7 +3220,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND ParentIntegrityLevel = \"Medium\" AND IntegrityLevel = \"System\" AND User LIKE \"NT AUTHORITY\\\\SYSTEM\" ESCAPE '\\')" ] }, - {}, { "title": "Suspicious Rundll32 Activity Invoking Sys File - 17F9A090", "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", @@ -3373,8 +3368,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\Microsoft.Workflow.Compiler.exe\" ESCAPE '\\')" ] }, - {}, - {}, { "title": "PsExec Service Start - 1D0D655E", "description": "Detects a PsExec service start", @@ -3390,7 +3383,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND CommandLine LIKE \"C:\\\\Windows\\\\PSEXESVC.exe\" ESCAPE '\\')" ] }, - {}, { "title": "DLL Injection with Tracker.exe - 3C444370", "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", @@ -3456,7 +3448,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\Psr.exe\" ESCAPE '\\' AND CommandLine LIKE \"%/start%\" ESCAPE '\\')" ] }, - {}, { "title": "Indirect Command Execution By Program Compatibility Wizard - 1686BB26", "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", @@ -3501,7 +3492,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND ProcessCommandLine LIKE \"%/UpdateDeploymentProvider%\" ESCAPE '\\' AND ProcessCommandLine LIKE \"%/RunHandlerComServer%\" ESCAPE '\\' AND (NewProcessName LIKE \"%\\\\wuauclt.exe\" ESCAPE '\\'))" ] }, - {}, { "title": "Rundll32 Without Parameters - F72787CD", "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", @@ -3615,7 +3605,6 @@ "SELECT * FROM logs WHERE ((EventID = \"4688\" AND Channel = \"Security\") AND ParentProcessName LIKE \"%\\\\mmc.exe\" ESCAPE '\\' AND ((NewProcessName LIKE \"%\\\\cmd.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\powershell.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\wscript.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\cscript.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\sh.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\bash.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\reg.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\regsvr32.exe\" ESCAPE '\\') OR (NewProcessName LIKE \"%\\\\BITSADMIN%\" ESCAPE '\\')))" ] }, - {}, { "title": "Netsh Port or Application Allowed - 38C167BB", "description": "Allow Incoming Connections by Port or Application on Windows Firewall", @@ -4057,7 +4046,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (EventID = \"4688\" AND Channel = \"Security\") AND (NewProcessName LIKE \"%\\\\setspn.exe\" ESCAPE '\\' OR (Description LIKE \"%Query or reset the computer%\" ESCAPE '\\' AND Description LIKE \"%SPN attribute%\" ESCAPE '\\')) AND CommandLine LIKE \"%-q%\" ESCAPE '\\')" ] }, - {}, { "title": "Windows Network Enumeration - 274368BB", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", @@ -4177,7 +4165,6 @@ "SELECT * FROM logs WHERE ((EventID = \"4688\" AND Channel = \"Security\") AND CommandLine LIKE \"%transport=dt\\_socket,address=%\" ESCAPE '\\' AND NOT (CommandLine LIKE \"%address=127.0.0.1%\" ESCAPE '\\' OR CommandLine LIKE \"%address=localhost%\" ESCAPE '\\'))" ] }, - {}, { "title": "Disable Windows Eventlog - 7A63005B", "description": "Detects command that is used to disable Windows eventlog", @@ -4417,6 +4404,19 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (NewProcessName LIKE \"%\\\\powerpnt.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\winword.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\excel.exe\" ESCAPE '\\') AND CommandLine LIKE \"%http%\" ESCAPE '\\')" ] }, + { + "title": "Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access - C4DC55F8", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are \"activated\" the privilleged shell is launched.", + "author": "Sreeman", + "tags": [ + "attack.t1015", + "attack.privilege_escalation" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (CommandLine LIKE \"copy /y C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe\" ESCAPE '\\'))" + ] + }, { "title": "COMPlus_ETWEnabled Command Line Arguments - 3B52E370", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", @@ -4513,7 +4513,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\runonce.exe\" ESCAPE '\\' AND ParentProcessName LIKE \"%\\\\rundll32.exe\" ESCAPE '\\' AND ParentCommandLine LIKE \"%setupapi.dll%\" ESCAPE '\\' AND ParentCommandLine LIKE \"%InstallHinfSection%\" ESCAPE '\\')" ] }, - {}, { "title": "Application Whitelisting Bypass via Dnx.exe - 0B81025F", "description": "Execute C# code located in the consoleapp folder", @@ -4695,7 +4694,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\schtasks.exe\" ESCAPE '\\' AND CommandLine LIKE \"%/change%\" ESCAPE '\\' AND CommandLine LIKE \"%/TN%\" ESCAPE '\\' AND CommandLine LIKE \"%/RU%\" ESCAPE '\\' AND CommandLine LIKE \"%/RP%\" ESCAPE '\\')" ] }, - {}, { "title": "Renamed PAExec - A5AA95EB", "description": "Detects suspicious renamed PAExec execution as often used by attackers", @@ -4732,8 +4730,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND CommandLine LIKE \"%wmic%\" ESCAPE '\\' AND CommandLine LIKE \"%product where name=%\" ESCAPE '\\' AND CommandLine LIKE \"%call uninstall%\" ESCAPE '\\' AND CommandLine LIKE \"%/nointeractive%\" ESCAPE '\\' AND (CommandLine LIKE \"%Antivirus%\" ESCAPE '\\' OR CommandLine LIKE \"%Endpoint Security%\" ESCAPE '\\' OR CommandLine LIKE \"%Endpoint Detection%\" ESCAPE '\\' OR CommandLine LIKE \"%Crowdstrike Sensor%\" ESCAPE '\\' OR CommandLine LIKE \"%Windows Defender%\" ESCAPE '\\' OR CommandLine LIKE \"%VirusScan%\" ESCAPE '\\' OR CommandLine LIKE \"%Threat Protection%\" ESCAPE '\\' OR CommandLine LIKE \"%Endpoint Sensor%\" ESCAPE '\\'))" ] }, - {}, - {}, { "title": "Empire PowerShell Launch Parameters - 03174317", "description": "Detects suspicious powershell command line parameters used in Empire", @@ -4866,7 +4862,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (CommandLine LIKE \"%OjpGcm9tQmFzZTY0U3RyaW5n%\" ESCAPE '\\' OR CommandLine LIKE \"%o6RnJvbUJhc2U2NFN0cmluZ%\" ESCAPE '\\' OR CommandLine LIKE \"%6OkZyb21CYXNlNjRTdHJpbm%\" ESCAPE '\\'))" ] }, - {}, { "title": "Rar with Password or Compression Level - 08DB3133", "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", @@ -5234,7 +5229,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\powershell.exe\" ESCAPE '\\' AND CommandLine LIKE \"%Start-BitsTransfer%\" ESCAPE '\\')" ] }, - {}, { "title": "Regedit as Trusted Installer - 419E03DE", "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", @@ -6225,6 +6219,20 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\findstr.exe\" ESCAPE '\\' AND CommandLine LIKE \"%.lnk\" ESCAPE '\\')" ] }, + { + "title": "Monitoring Winget For LOLbin Execution - 6776E2F4", + "description": "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", + "author": "Sreeman", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (CommandLine LIKE \"%.%(_i)winget install (--m|-m).%\" ESCAPE '\\'))" + ] + }, { "title": "Capture Credentials with Rpcping.exe - 95A55062", "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", @@ -6298,8 +6306,6 @@ "SELECT * FROM logs WHERE ((EventID = \"4688\" AND Channel = \"Security\") AND (CommandLine LIKE \"%\\\\calc.exe %\" ESCAPE '\\' OR ((EventID = \"4688\" AND Channel = \"Security\") AND NewProcessName LIKE \"%\\\\calc.exe\" ESCAPE '\\' AND NOT (NewProcessName LIKE \"%\\\\Windows\\\\Sys%\" ESCAPE '\\'))))" ] }, - {}, - {}, { "title": "MSI Spawned Cmd and Powershell Spawned Processes - 7FA91A15", "description": "This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes", @@ -6394,7 +6400,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (CommandLine LIKE \"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%\" ESCAPE '\\' OR CommandLine LIKE \"% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%\" ESCAPE '\\'))" ] }, - {}, { "title": "Always Install Elevated Windows Installer - DBA7F8D2", "description": "This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege", @@ -6976,7 +6981,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND CommandLine LIKE \"% /INJECTRUNNING %\" ESCAPE '\\')" ] }, - {}, { "title": "Suspicious Csc.exe Source File Folder - 67351E6F", "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", @@ -6991,7 +6995,6 @@ "SELECT * FROM logs WHERE ((EventID = \"4688\" AND Channel = \"Security\") AND (NewProcessName LIKE \"%\\\\csc.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%\\\\AppData\\\\%\" ESCAPE '\\' OR CommandLine LIKE \"%\\\\Windows\\\\Temp\\\\%\" ESCAPE '\\')) AND NOT (ParentProcessName LIKE \"C:\\\\Program Files%\" ESCAPE '\\' OR (ParentProcessName LIKE \"%\\\\sdiagnhost.exe\" ESCAPE '\\' OR ParentProcessName LIKE \"%\\\\w3wp.exe\" ESCAPE '\\') OR (ParentCommandLine LIKE \"%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%\" ESCAPE '\\')))" ] }, - {}, { "title": "Suspicious TSCON Start - E3111F35", "description": "Detects a tscon.exe start as LOCAL SYSTEM", @@ -7367,7 +7370,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\bcdedit.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%delete%\" ESCAPE '\\' OR CommandLine LIKE \"%deletevalue%\" ESCAPE '\\' OR CommandLine LIKE \"%import%\" ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\bcdedit.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%delete%\" ESCAPE '\\' OR CommandLine LIKE \"%deletevalue%\" ESCAPE '\\' OR CommandLine LIKE \"%import%\" ESCAPE '\\' OR CommandLine LIKE \"%safeboot%\" ESCAPE '\\' OR CommandLine LIKE \"%network%\" ESCAPE '\\'))" ] }, { @@ -7691,7 +7694,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\cmd.exe\" ESCAPE '\\' AND CommandLine LIKE \"%http%\" ESCAPE '\\' AND CommandLine LIKE \"%://%\" ESCAPE '\\' AND CommandLine LIKE \"%\\%AppData\\%%\" ESCAPE '\\')" ] }, - {}, { "title": "Adwind RAT / JRAT - 9AE2C567", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", @@ -7765,6 +7767,19 @@ "SELECT * FROM logs WHERE ((EventID = \"4688\" AND Channel = \"Security\") AND (((NewProcessName LIKE \"%\\\\takeown.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\cacls.exe\" ESCAPE '\\' OR NewProcessName LIKE \"%\\\\icacls.exe\" ESCAPE '\\') AND CommandLine LIKE \"%/grant%\" ESCAPE '\\') OR (NewProcessName LIKE \"%\\\\attrib.exe\" ESCAPE '\\' AND CommandLine LIKE \"%-r%\" ESCAPE '\\')))" ] }, + { + "title": "Dropping Of Password Filter DLL - 8A98ACFC", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "author": "Sreeman", + "tags": [ + "attack.credential_access", + "attack.t1174" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND CommandLine LIKE \"%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%\" ESCAPE '\\' AND CommandLine LIKE \"%scecli\\\\0%\" ESCAPE '\\' AND CommandLine LIKE \"%reg add%\" ESCAPE '\\')" + ] + }, { "title": "Suspicious RDP Redirect Using TSCON - 9FDEE0C7", "description": "Detects a suspicious RDP session redirect using tscon.exe", @@ -8157,7 +8172,6 @@ "SELECT * FROM logs WHERE ((EventID = \"4688\" AND Channel = \"Security\") AND (NewProcessName LIKE \"%\\\\wsmprovhost.exe\" ESCAPE '\\' OR ParentProcessName LIKE \"%\\\\wsmprovhost.exe\" ESCAPE '\\'))" ] }, - {}, { "title": "Run Whoami Showing Privileges - 3EA29598", "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", @@ -8186,7 +8200,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND (EventID = \"4688\" AND Channel = \"Security\") AND ((NewProcessName LIKE \"%\\\\rundll32.exe\" ESCAPE '\\') OR (Description LIKE \"%Windows-Hostprozess (Rundll32)%\" ESCAPE '\\')) AND (CommandLine LIKE \"%Default.GetString%\" ESCAPE '\\' OR CommandLine LIKE \"%FromBase64String%\" ESCAPE '\\'))" ] }, - {}, { "title": "Abusing Findstr for Defense Evasion - 37622ED3", "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", @@ -8213,7 +8226,6 @@ "SELECT * FROM logs WHERE (EventID = \"4688\" AND Channel = \"Security\" AND NewProcessName LIKE \"%\\\\VBoxDrvInst.exe\" ESCAPE '\\' AND CommandLine LIKE \"%driver%\" ESCAPE '\\' AND CommandLine LIKE \"%executeinf%\" ESCAPE '\\')" ] }, - {}, { "title": "Devtoolslauncher.exe Executes Specified Binary - E6A7650F", "description": "The Devtoolslauncher.exe executes other binary", @@ -8580,8 +8592,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND ((ServiceName LIKE \"%fgexec%\" ESCAPE '\\' OR ServiceName LIKE \"%wceservice%\" ESCAPE '\\' OR ServiceName LIKE \"%wce service%\" ESCAPE '\\' OR ServiceName LIKE \"%pwdump%\" ESCAPE '\\' OR ServiceName LIKE \"%gsecdump%\" ESCAPE '\\' OR ServiceName LIKE \"%cachedump%\" ESCAPE '\\' OR ServiceName LIKE \"%mimikatz%\" ESCAPE '\\' OR ServiceName LIKE \"%mimidrv%\" ESCAPE '\\') OR (ImagePath LIKE \"%fgexec%\" ESCAPE '\\' OR ImagePath LIKE \"%dumpsvc%\" ESCAPE '\\' OR ImagePath LIKE \"%cachedump%\" ESCAPE '\\' OR ImagePath LIKE \"%mimidrv%\" ESCAPE '\\' OR ImagePath LIKE \"%gsecdump%\" ESCAPE '\\' OR ImagePath LIKE \"%servpw%\" ESCAPE '\\' OR ImagePath LIKE \"%pwdump%\" ESCAPE '\\')))" ] }, - {}, - {}, { "title": "Remote WMI ActiveScriptEventConsumers - 20832D8C", "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", @@ -8638,7 +8648,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND EventID = \"7045\" AND ServiceName IN (\"srservice\", \"ipvpn\", \"hkmsvc\"))" ] }, - {}, { "title": "SysKey Registry Keys Access - 0E28ECC3", "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", @@ -8781,7 +8790,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND AuditSourceName = \"VSSAudit\" AND (EventID = \"4904\" OR EventID = \"4905\"))" ] }, - {}, { "title": "T1047 Wmiprvse Wbemcomn DLL Hijack - E9057B0E", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", @@ -8866,7 +8874,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND (EventID = \"4624\" AND ((SubjectUserSid = \"S-1-0-0\" AND LogonType = \"3\" AND LogonProcessName = \"NtLmSsp\" AND KeyLength = \"0\") OR (LogonType = \"9\" AND LogonProcessName = \"seclogo\"))) AND NOT (AccountName = \"ANONYMOUS LOGON\"))" ] }, - {}, { "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos - 6F3E544C", "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", @@ -8895,7 +8902,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND EventID = \"16\" AND HiveName LIKE \"%\\\\AppData\\\\Local\\\\Temp\\\\SAM%\" ESCAPE '\\' AND HiveName LIKE \"%.dmp\" ESCAPE '\\')" ] }, - {}, { "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - 17FDA933", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", @@ -8927,7 +8933,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-NTLM/Operational\" AND EventID = \"8002\" AND CallingProcessName LIKE \"%\" ESCAPE '\\')" ] }, - {}, { "title": "Admin User Remote Logon - 4A40A753", "description": "Detect remote login by Administrator user depending on internal pattern", @@ -8969,7 +8974,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4706\")" ] }, - {}, { "title": "COMPlus_ETWEnabled Registry Modification - A9F42D97", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", @@ -8983,7 +8987,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4657\" AND ObjectName LIKE \"%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\" ESCAPE '\\' AND ObjectValueName = \"ETWEnabled\" AND NewValue = \"0\")" ] }, - {}, { "title": "Local User Creation - EC51C58E", "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", @@ -8998,7 +9001,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4720\")" ] }, - {}, { "title": "Transferring Files with Credential Data via Network Shares - 2E79E1AF", "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", @@ -9074,7 +9076,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4624\" AND LogonType = \"9\" AND LogonProcessName = \"seclogo\" AND AuthenticationPackageName = \"Negotiate\")" ] }, - {}, { "title": "SCM Database Privileged Operation - D4E6315A", "description": "Detects non-system users performing privileged operation os the SCM database", @@ -9199,7 +9200,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND EventID = \"1033\" AND Source = \"Microsoft-Windows-DHCP-Server\")" ] }, - {}, { "title": "SAM Registry Hive Handle Request - DA0447A0", "description": "Detects handles requested to SAM registry hive", @@ -9777,8 +9777,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4697\" AND ImagePath LIKE \"%tap0901%\" ESCAPE '\\')" ] }, - {}, - {}, { "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", @@ -9793,7 +9791,6 @@ "SELECT * FROM (SELECT *,count(*) AS agg FROM logs WHERE (Channel = \"Security\" AND EventID = \"5156\" AND DestinationPort IN (\"3268\", \"3269\")) GROUP BY SourceAddress) WHERE agg > 2000" ] }, - {}, { "title": "DPAPI Domain Backup Key Extraction - 1F38E4F2", "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", @@ -9837,6 +9834,21 @@ "SELECT * FROM (SELECT *,count(Account_Name) AS agg FROM logs WHERE (Channel = \"Security\" AND (EventID = \"4625\" AND Logon_Type = \"2\") AND NOT (Caller_Process_Name = \"-\")) GROUP BY Caller_Process_Name) WHERE agg > 10" ] }, + { + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms - D29BF0B4", + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "author": "Sreeman", + "tags": [ + "attack.t1204", + "attack.t1193", + "attack.execution", + "attack.initial_access" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = \"Security\" AND CommandLine LIKE \"%.SettingContent-ms%\" ESCAPE '\\' AND NOT ((FilePath LIKE \"%immersivecontrolpanel%\" ESCAPE '\\')))" + ] + }, { "title": "Impacket PsExec Execution - D8619FDA", "description": "Detects execution of Impacket's psexec.py.", @@ -10027,7 +10039,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND (EventID = \"4662\" AND AccessMask = \"0x100\" AND (Properties LIKE \"%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%\" ESCAPE '\\' OR Properties LIKE \"%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%\" ESCAPE '\\' OR Properties LIKE \"%89e95b76-444d-4c62-991a-0facbeda640c%\" ESCAPE '\\')) AND NOT (SubjectUserName LIKE \"%$\" ESCAPE '\\' OR SubjectUserName LIKE \"MSOL\\_%\" ESCAPE '\\'))" ] }, - {}, { "title": "Access to ADMIN$ Share - 3FB84A7C", "description": "Detects access to $ADMIN share", @@ -10083,7 +10094,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND (EventID = \"5145\" AND ShareName LIKE \"%C$\" ESCAPE '\\' AND AccessMask = \"0x2\") AND NOT (SubjectUserName LIKE \"%$\" ESCAPE '\\'))" ] }, - {}, { "title": "Generic Password Dumper Activity on LSASS - FA2DCF85", "description": "Detects process handle on LSASS process with certain access mask", @@ -10252,6 +10262,19 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"5145\" AND ShareName LIKE \"\\\\%\\\\IPC$\" ESCAPE '\\' AND RelativeTargetName = \"atsvc\" AND Accesses LIKE \"%WriteData%\" ESCAPE '\\')" ] }, + { + "title": "Suspicious Werfault.exe Network Connection Outbound - 22CA2D0B", + "description": "Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.", + "author": "Sreeman", + "tags": [ + "attack.command_and_control", + "attack.t1571" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (NewProcessName = \"werfault.exe\" AND NOT ((ParentProcessName = \"svchost.exe\" AND (DestinationIp LIKE \"104.42.151.234\" ESCAPE '\\' OR DestinationIp LIKE \"104.43.193.48\" ESCAPE '\\' OR DestinationIp LIKE \"52.255.188.83\" ESCAPE '\\' OR DestinationIp LIKE \"13.64.90.137\" ESCAPE '\\' OR DestinationIp LIKE \"168.61.161.212\" ESCAPE '\\' OR DestinationIp LIKE \"13.88.21.125\" ESCAPE '\\' OR DestinationIp LIKE \"40.88.32.150\" ESCAPE '\\' OR DestinationIp LIKE \"52.147.198.201\" ESCAPE '\\' OR DestinationIp LIKE \"52.239.207.100\" ESCAPE '\\' OR DestinationIp LIKE \"52.176.224.96\" ESCAPE '\\' OR DestinationIp LIKE \"2607:7700:0:24:0:1:287e:1894\" ESCAPE '\\' OR DestinationIp LIKE \"10.%\" ESCAPE '\\' OR DestinationIp LIKE \"192.168.%\" ESCAPE '\\' OR DestinationIp LIKE \"127.%\" ESCAPE '\\') AND (DestinationHostname LIKE \"%.windowsupdate.com%\" ESCAPE '\\' OR DestinationHostname LIKE \"%.microsoft.com%\" ESCAPE '\\'))))" + ] + }, { "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln - 755FEA55", "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", @@ -10349,8 +10372,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND Source = \"Microsoft-Windows-Ntfs\" AND EventID = \"98\" AND DeviceName LIKE \"%HarddiskVolumeShadowCopy%\" ESCAPE '\\')" ] }, - {}, - {}, { "title": "Possible DNS Rebinding - 97CEA82E", "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", @@ -10654,6 +10675,5 @@ "rule": [ "SELECT * FROM logs WHERE NewProcessName LIKE \"%\\\\regedit.exe\" ESCAPE '\\'" ] - }, - {} + } ] \ No newline at end of file diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json index f1f8213..89e44a7 100644 --- a/rules/rules_windows_sysmon.json +++ b/rules/rules_windows_sysmon.json @@ -857,7 +857,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND (ScriptBlockText LIKE \"%Remove-SmbShare%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Remove-FileShare%\" ESCAPE '\\'))" ] }, - {}, { "title": "Suspicious PowerShell Keywords - 85E21715", "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", @@ -885,7 +884,6 @@ "SELECT * FROM (SELECT *,count(ScriptBlockText) AS agg FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND (ScriptBlockText LIKE \"%CL\\_Mutexverifiers.ps1%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%runAfterCancelProcess%\" ESCAPE '\\')) GROUP BY Computer) WHERE agg > 2" ] }, - {}, { "title": "Tamper Windows Defender - D4995280", "description": "Attempting to disable scheduled scanning and other parts of windows defender atp.", @@ -899,7 +897,6 @@ "SELECT * FROM logs WHERE (EventID = \"600\" AND HostApplication LIKE \"%Set-MpPreference%\" ESCAPE '\\' AND (HostApplication LIKE \"%-DisableRealtimeMonitoring 1%\" ESCAPE '\\' OR HostApplication LIKE \"%-DisableBehaviorMonitoring 1%\" ESCAPE '\\' OR HostApplication LIKE \"%-DisableScriptScanning 1%\" ESCAPE '\\' OR HostApplication LIKE \"%-DisableBlockAtFirstSeen 1%\" ESCAPE '\\'))" ] }, - {}, { "title": "Execution via CL_Invocation.ps1 (2 Lines) - F4EB7F20", "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", @@ -927,7 +924,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND (EventID = \"4104\" AND (ScriptBlockText LIKE \"%Invoke-DllInjection%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Shellcode%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-WmiCommand%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-GPPPassword%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-Keystrokes%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-TimedScreenshot%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-VaultCredential%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-CredentialInjection%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Mimikatz%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-NinjaCopy%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-TokenManipulation%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Out-Minidump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%VolumeShadowCopyTools%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ReflectivePEInjection%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-UserHunter%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Find-GPOLocation%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ACLScanner%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-DowngradeAccount%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ServiceUnquoted%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ServiceFilePermission%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ServicePermission%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ServiceAbuse%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Install-ServiceBinary%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-RegAutoLogon%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-VulnAutoRun%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-VulnSchTask%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-UnattendedInstallFile%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ApplicationHost%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-RegAlwaysInstallElevated%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-Unconstrained%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-RegBackdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-ScrnSaveBackdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Gupt-Backdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ADSBackdoor%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Enabled-DuplicateToken%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PsUaCme%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Remove-Update%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Check-VM%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-LSASecret%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-PassHashes%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Show-TargetScreen%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Port-Scan%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PoshRatHttp%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PowerShellTCP%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PowerShellWMI%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-Exfiltration%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Add-Persistence%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Do-Exfiltration%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Start-CaptureServer%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ChromeDump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-ClipboardContents%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-FoxDump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-IndexedItem%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-Screenshot%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Inveigh%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-NetRipper%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-EgressCheck%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PostExfil%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PSInject%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-RunAs%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%MailRaider%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%New-HoneyHash%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Set-MacAttribute%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-DCSync%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PowerDump%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Exploit-Jboss%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ThunderStruck%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-VoiceTroll%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Set-Wallpaper%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-InveighRelay%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PsExec%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-SSHCommand%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-SecurityPackages%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Install-SSP%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-BackdoorLNK%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%PowerBreach%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-SiteListPassword%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-System%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-BypassUAC%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Tater%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-WScriptBypassUAC%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%PowerUp%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%PowerView%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Get-RickAstley%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Find-Fruit%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%HTTP-Login%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Find-TrustedDocuments%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Paranoia%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-WinEnum%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ARPScan%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-PortScan%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-ReverseDNSLookup%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-SMBScanner%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-Mimikittenz%\" ESCAPE '\\' OR ScriptBlockText LIKE \"%Invoke-AllChecks%\" ESCAPE '\\')) AND NOT (EventID = \"4104\" AND (ScriptBlockText LIKE \"%Get-SystemDriveInfo%\" ESCAPE '\\')))" ] }, - {}, { "title": "Encoded PowerShell Command Line - E425013A", "description": "Detects specific combinations of encoding methods in the PowerShell command lines", @@ -943,7 +939,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\powershell.exe\" ESCAPE '\\' AND ((((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (CommandLine LIKE \"%ToInt%\" ESCAPE '\\' OR CommandLine LIKE \"%ToDecimal%\" ESCAPE '\\' OR CommandLine LIKE \"%ToByte%\" ESCAPE '\\' OR CommandLine LIKE \"%ToUint%\" ESCAPE '\\' OR CommandLine LIKE \"%ToSingle%\" ESCAPE '\\' OR CommandLine LIKE \"%ToSByte%\" ESCAPE '\\') AND (CommandLine LIKE \"%ToChar%\" ESCAPE '\\' OR CommandLine LIKE \"%ToString%\" ESCAPE '\\' OR CommandLine LIKE \"%String%\" ESCAPE '\\')) OR (CommandLine LIKE \"%char%\" ESCAPE '\\' AND CommandLine LIKE \"%join%\" ESCAPE '\\')) OR (CommandLine LIKE \"%split%\" ESCAPE '\\' AND CommandLine LIKE \"%join%\" ESCAPE '\\')) OR (CommandLine LIKE \"%ForEach%\" ESCAPE '\\' AND CommandLine LIKE \"%Xor%\" ESCAPE '\\') OR (CommandLine LIKE \"%cOnvErTTO-SECUreStRIng%\" ESCAPE '\\')))" ] }, - {}, { "title": "Windows PowerShell Web Request - B5C01B78", "description": "Detects the use of various web request methods (including aliases) via Windows PowerShell", @@ -974,7 +969,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND (ScriptBlockText LIKE \"%WMImplant%\" ESCAPE '\\' OR ScriptBlockText LIKE \"% change\\_user %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% gen\\_cli %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% command\\_exec %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% disable\\_wdigest %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% disable\\_winrm %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% enable\\_wdigest %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% enable\\_winrm %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% registry\\_mod %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% remote\\_posh %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% sched\\_job %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% service\\_mod %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% process\\_kill %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% active\\_users %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% basic\\_info %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% power\\_off %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% vacant\\_system %\" ESCAPE '\\' OR ScriptBlockText LIKE \"% logon\\_events %\" ESCAPE '\\'))" ] }, - {}, { "title": "Remote PowerShell Session - 56A62BF2", "description": "Detects remote PowerShell sessions", @@ -1007,8 +1001,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND (Message LIKE \"%PromptForCredential%\" ESCAPE '\\'))" ] }, - {}, - {}, { "title": "PowerShell Called from an Executable Version Mismatch - 6011C4B2", "description": "Detects PowerShell called from an executable by the version mismatch method", @@ -1024,8 +1016,6 @@ "SELECT * FROM logs WHERE (Channel = \"Windows PowerShell\" AND EventID = \"400\" AND (EngineVersion LIKE \"2.%\" ESCAPE '\\' OR EngineVersion LIKE \"4.%\" ESCAPE '\\' OR EngineVersion LIKE \"5.%\" ESCAPE '\\') AND HostVersion LIKE \"3.%\" ESCAPE '\\')" ] }, - {}, - {}, { "title": "Accessing WinAPI in PowerShell - 806E6935", "description": "Detecting use WinAPI Functions in PowerShell", @@ -1099,7 +1089,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\powershell.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%hctac%\" ESCAPE '\\' OR CommandLine LIKE \"%kearb%\" ESCAPE '\\' OR CommandLine LIKE \"%dnammoc%\" ESCAPE '\\' OR CommandLine LIKE \"%ekovn%\" ESCAPE '\\' OR CommandLine LIKE \"%eliFd%\" ESCAPE '\\' OR CommandLine LIKE \"%rahc%\" ESCAPE '\\' OR CommandLine LIKE \"%etirw%\" ESCAPE '\\' OR CommandLine LIKE \"%golon%\" ESCAPE '\\' OR CommandLine LIKE \"%tninon%\" ESCAPE '\\' OR CommandLine LIKE \"%eddih%\" ESCAPE '\\' OR CommandLine LIKE \"%tpircS%\" ESCAPE '\\' OR CommandLine LIKE \"%ssecorp%\" ESCAPE '\\' OR CommandLine LIKE \"%llehsrewop%\" ESCAPE '\\' OR CommandLine LIKE \"%esnopser%\" ESCAPE '\\' OR CommandLine LIKE \"%daolnwod%\" ESCAPE '\\' OR CommandLine LIKE \"%tneilCbeW%\" ESCAPE '\\' OR CommandLine LIKE \"%tneilc%\" ESCAPE '\\' OR CommandLine LIKE \"%ptth%\" ESCAPE '\\' OR CommandLine LIKE \"%elifotevas%\" ESCAPE '\\' OR CommandLine LIKE \"%46esab%\" ESCAPE '\\' OR CommandLine LIKE \"%htaPpmeTteG%\" ESCAPE '\\' OR CommandLine LIKE \"%tcejbO%\" ESCAPE '\\' OR CommandLine LIKE \"%maerts%\" ESCAPE '\\' OR CommandLine LIKE \"%hcaerof%\" ESCAPE '\\' OR CommandLine LIKE \"%ekovni%\" ESCAPE '\\' OR CommandLine LIKE \"%retupmoc%\" ESCAPE '\\'))" ] }, - {}, { "title": "Accessing WinAPI in PowerShell. Code Injection. - 58AA62BD", "description": "Detecting Code injection with PowerShell in another process", @@ -1154,7 +1143,6 @@ "SELECT * FROM logs WHERE (Channel = \"Windows PowerShell\" AND CommandLine LIKE \"%Get-WmiObject%\" ESCAPE '\\' AND CommandLine LIKE \"% Win32\\_Shadowcopy%\" ESCAPE '\\' AND (CommandLine LIKE \"%Delete()%\" ESCAPE '\\' OR CommandLine LIKE \"%Remove-WmiObject%\" ESCAPE '\\') AND EventID IN (\"400\", \"403\", \"600\"))" ] }, - {}, { "title": "PowerShell Get Clipboard - 7E2C33D4", "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", @@ -1212,7 +1200,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND ((Message LIKE \"%-nop%\" ESCAPE '\\' AND Message LIKE \"% -w %\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"% -c %\" ESCAPE '\\' AND Message LIKE \"%[Convert]::FromBase64String%\" ESCAPE '\\') OR (Message LIKE \"% -w %\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"%-noni%\" ESCAPE '\\' AND Message LIKE \"%-nop%\" ESCAPE '\\' AND Message LIKE \"% -c %\" ESCAPE '\\' AND Message LIKE \"%iex%\" ESCAPE '\\' AND Message LIKE \"%New-Object%\" ESCAPE '\\') OR (Message LIKE \"% -w %\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"%-ep%\" ESCAPE '\\' AND Message LIKE \"%bypass%\" ESCAPE '\\' AND Message LIKE \"%-Enc%\" ESCAPE '\\') OR (Message LIKE \"%powershell%\" ESCAPE '\\' AND Message LIKE \"%reg%\" ESCAPE '\\' AND Message LIKE \"%add%\" ESCAPE '\\' AND Message LIKE \"%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%\" ESCAPE '\\') OR (Message LIKE \"%bypass%\" ESCAPE '\\' AND Message LIKE \"%-noprofile%\" ESCAPE '\\' AND Message LIKE \"%-windowstyle%\" ESCAPE '\\' AND Message LIKE \"%hidden%\" ESCAPE '\\' AND Message LIKE \"%new-object%\" ESCAPE '\\' AND Message LIKE \"%system.net.webclient%\" ESCAPE '\\' AND Message LIKE \"%.download%\" ESCAPE '\\') OR (Message LIKE \"%iex%\" ESCAPE '\\' AND Message LIKE \"%New-Object%\" ESCAPE '\\' AND Message LIKE \"%Net.WebClient%\" ESCAPE '\\' AND Message LIKE \"%.Download%\" ESCAPE '\\')))" ] }, - {}, { "title": "Data Compressed - Powershell - 3F9D62AF", "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", @@ -1227,7 +1214,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND keywords LIKE \"%-Recurse%\" ESCAPE '\\' AND keywords LIKE \"%|%\" ESCAPE '\\' AND keywords LIKE \"%Compress-Archive%\" ESCAPE '\\')" ] }, - {}, { "title": "PowerShell Get-Process LSASS in ScriptBlock - 5164F399", "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", @@ -1296,7 +1282,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-PowerShell/Operational\" AND EventID = \"4104\" AND ScriptBlockText IN (\"Export-PowerViewCSV\", \"Resolve-IPAddress\", \"ConvertTo-SID\", \"Convert-ADName\", \"ConvertFrom-UACValue\", \"Add-RemoteConnection\", \"Remove-RemoteConnection\", \"Invoke-UserImpersonation\", \"Invoke-RevertToSelf\", \"Get-DomainSPNTicket\", \"Invoke-Kerberoast\", \"Get-PathAcl\", \"Get-DomainDNSZone\", \"Get-DomainDNSRecord\", \"Get-Domain\", \"Get-DomainController\", \"Get-Forest\", \"Get-ForestDomain\", \"Get-ForestGlobalCatalog\", \"Find-DomainObjectPropertyOutlier-\", \"Get-DomainUser\", \"New-DomainUser\", \"Set-DomainUserPassword\", \"Get-DomainUserEvent\", \"Get-DomainComputer\", \"Get-DomainObject\", \"Set-DomainObject\", \"Get-DomainObjectAcl\", \"Add-DomainObjectAcl\", \"Find-InterestingDomainAcl\", \"Get-DomainOU\", \"Get-DomainSite\", \"Get-DomainSubnet\", \"Get-DomainSID\", \"Get-DomainGroup\", \"New-DomainGroup\", \"Get-DomainManagedSecurityGroup\", \"Get-DomainGroupMember\", \"Add-DomainGroupMember\", \"Get-DomainFileServer\", \"Get-DomainDFSShare\", \"Get-DomainGPO\", \"Get-DomainGPOLocalGroup\", \"Get-DomainGPOUserLocalGroupMapping\", \"Get-DomainGPOComputerLocalGroupMapping\", \"Get-DomainPolicy\", \"Get-NetLocalGroup\", \"Get-NetLocalGroupMember\", \"Get-NetShare\", \"Get-NetLoggedon\", \"Get-NetSession\", \"Get-RegLoggedOn\", \"Get-NetRDPSession\", \"Test-AdminAccess\", \"Get-NetComputerSiteName\", \"Get-WMIRegProxy\", \"Get-WMIRegLastLoggedOn\", \"Get-WMIRegCachedRDPConnection\", \"Get-WMIRegMountedDrive\", \"Get-WMIProcess\", \"Find-InterestingFile\", \"Find-DomainUserLocation\", \"Find-DomainProcess\", \"Find-DomainUserEvent\", \"Find-DomainShare\", \"Find-InterestingDomainShareFile\", \"Find-LocalAdminAccess\", \"Find-DomainLocalGroupMember\", \"Get-DomainTrust\", \"Get-ForestTrust\", \"Get-DomainForeignUser\", \"Get-DomainForeignGroupMember\", \"Get-DomainTrustMapping\"))" ] }, - {}, { "title": "Winlogon Helper DLL - B2ABCE2F", "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.", @@ -1594,7 +1579,6 @@ "SELECT * FROM logs WHERE (EventID = \"7\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (Image LIKE \"%\\\\wscript.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\cscript.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\mshta.exe\" ESCAPE '\\') AND (ImageLoaded LIKE \"%\\\\clr.dll\" ESCAPE '\\' OR ImageLoaded LIKE \"%\\\\mscoree.dll\" ESCAPE '\\' OR ImageLoaded LIKE \"%\\\\mscorlib.dll\" ESCAPE '\\'))" ] }, - {}, { "title": "Active Directory Kerberos DLL Loaded Via Office Applications - 921E8367", "description": "Detects Kerberos DLL being loaded by an Office Product", @@ -2847,6 +2831,20 @@ "SELECT * FROM logs WHERE (EventID IN (\"12\", \"13\", \"14\") AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND TargetObject LIKE \"%\\\\Software\\\\Sysinternals\\\\SDelete%\" ESCAPE '\\')" ] }, + { + "title": "New TaskCache Entry - 44F63F4B", + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], + "author": "Syed Hasan (@syedhasan009)", + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID IN (\"12\", \"13\", \"14\") AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND TargetObject LIKE \"%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%\" ESCAPE '\\')" + ] + }, { "title": "RDP Sensitive Settings Changed - 910E9290", "description": "Detects changes to RDP terminal service sensitive settings", @@ -2919,7 +2917,6 @@ "SELECT * FROM logs WHERE (EventID = \"8\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND TargetImage LIKE \"C:\\\\Windows\\\\System32\\\\lsass.exe\" ESCAPE '\\' AND StartModule = \"\")" ] }, - {}, { "title": "CreateRemoteThread API and LoadLibrary - DA07CE53", "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", @@ -2974,7 +2971,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\at.exe\" ESCAPE '\\' AND CommandLine LIKE \"%interactive%\" ESCAPE '\\')" ] }, - {}, { "title": "WMI Persistence - Script Event Consumer - AEE69F79", "description": "Detects WMI script event consumers", @@ -3122,7 +3118,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\wmic.exe\" ESCAPE '\\' AND ((CommandLine LIKE \"%/NODE:%\" ESCAPE '\\' AND CommandLine LIKE \"%process%\" ESCAPE '\\' AND CommandLine LIKE \"%call%\" ESCAPE '\\' AND CommandLine LIKE \"%create %\" ESCAPE '\\') OR (CommandLine LIKE \"% path %\" ESCAPE '\\' AND (CommandLine LIKE \"%AntiVirus%\" ESCAPE '\\' OR CommandLine LIKE \"%Firewall%\" ESCAPE '\\') AND CommandLine LIKE \"%Product%\" ESCAPE '\\' AND CommandLine LIKE \"% get %\" ESCAPE '\\')))" + "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\wmic.exe\" ESCAPE '\\' AND ((CommandLine LIKE \"%process%\" ESCAPE '\\' AND CommandLine LIKE \"%call%\" ESCAPE '\\' AND CommandLine LIKE \"%create %\" ESCAPE '\\') OR (CommandLine LIKE \"% path %\" ESCAPE '\\' AND (CommandLine LIKE \"%AntiVirus%\" ESCAPE '\\' OR CommandLine LIKE \"%Firewall%\" ESCAPE '\\') AND CommandLine LIKE \"%Product%\" ESCAPE '\\' AND CommandLine LIKE \"% get %\" ESCAPE '\\')))" ] }, { @@ -3224,7 +3220,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND ParentIntegrityLevel = \"Medium\" AND IntegrityLevel = \"System\" AND User LIKE \"NT AUTHORITY\\\\SYSTEM\" ESCAPE '\\')" ] }, - {}, { "title": "Suspicious Rundll32 Activity Invoking Sys File - 17F9A090", "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", @@ -3373,8 +3368,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\Microsoft.Workflow.Compiler.exe\" ESCAPE '\\')" ] }, - {}, - {}, { "title": "PsExec Service Start - 1D0D655E", "description": "Detects a PsExec service start", @@ -3390,7 +3383,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND CommandLine LIKE \"C:\\\\Windows\\\\PSEXESVC.exe\" ESCAPE '\\')" ] }, - {}, { "title": "DLL Injection with Tracker.exe - 3C444370", "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", @@ -3456,7 +3448,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\Psr.exe\" ESCAPE '\\' AND CommandLine LIKE \"%/start%\" ESCAPE '\\')" ] }, - {}, { "title": "Indirect Command Execution By Program Compatibility Wizard - 1686BB26", "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", @@ -3501,7 +3492,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND ProcessCommandLine LIKE \"%/UpdateDeploymentProvider%\" ESCAPE '\\' AND ProcessCommandLine LIKE \"%/RunHandlerComServer%\" ESCAPE '\\' AND (Image LIKE \"%\\\\wuauclt.exe\" ESCAPE '\\'))" ] }, - {}, { "title": "Rundll32 Without Parameters - F72787CD", "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", @@ -3615,7 +3605,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND ParentImage LIKE \"%\\\\mmc.exe\" ESCAPE '\\' AND ((Image LIKE \"%\\\\cmd.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\powershell.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\wscript.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\cscript.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\sh.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\bash.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\reg.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\regsvr32.exe\" ESCAPE '\\') OR (Image LIKE \"%\\\\BITSADMIN%\" ESCAPE '\\')))" ] }, - {}, { "title": "Netsh Port or Application Allowed - 38C167BB", "description": "Allow Incoming Connections by Port or Application on Windows Firewall", @@ -4057,7 +4046,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (Image LIKE \"%\\\\setspn.exe\" ESCAPE '\\' OR (Description LIKE \"%Query or reset the computer%\" ESCAPE '\\' AND Description LIKE \"%SPN attribute%\" ESCAPE '\\')) AND CommandLine LIKE \"%-q%\" ESCAPE '\\')" ] }, - {}, { "title": "Windows Network Enumeration - 274368BB", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", @@ -4177,7 +4165,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND CommandLine LIKE \"%transport=dt\\_socket,address=%\" ESCAPE '\\' AND NOT (CommandLine LIKE \"%address=127.0.0.1%\" ESCAPE '\\' OR CommandLine LIKE \"%address=localhost%\" ESCAPE '\\'))" ] }, - {}, { "title": "Disable Windows Eventlog - 7A63005B", "description": "Detects command that is used to disable Windows eventlog", @@ -4417,6 +4404,19 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (Image LIKE \"%\\\\powerpnt.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\winword.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\excel.exe\" ESCAPE '\\') AND CommandLine LIKE \"%http%\" ESCAPE '\\')" ] }, + { + "title": "Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access - C4DC55F8", + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are \"activated\" the privilleged shell is launched.", + "author": "Sreeman", + "tags": [ + "attack.t1015", + "attack.privilege_escalation" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (CommandLine LIKE \"copy /y C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe\" ESCAPE '\\'))" + ] + }, { "title": "COMPlus_ETWEnabled Command Line Arguments - 3B52E370", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", @@ -4513,7 +4513,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\runonce.exe\" ESCAPE '\\' AND ParentImage LIKE \"%\\\\rundll32.exe\" ESCAPE '\\' AND ParentCommandLine LIKE \"%setupapi.dll%\" ESCAPE '\\' AND ParentCommandLine LIKE \"%InstallHinfSection%\" ESCAPE '\\')" ] }, - {}, { "title": "Application Whitelisting Bypass via Dnx.exe - 0B81025F", "description": "Execute C# code located in the consoleapp folder", @@ -4695,7 +4694,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\schtasks.exe\" ESCAPE '\\' AND CommandLine LIKE \"%/change%\" ESCAPE '\\' AND CommandLine LIKE \"%/TN%\" ESCAPE '\\' AND CommandLine LIKE \"%/RU%\" ESCAPE '\\' AND CommandLine LIKE \"%/RP%\" ESCAPE '\\')" ] }, - {}, { "title": "Renamed PAExec - A5AA95EB", "description": "Detects suspicious renamed PAExec execution as often used by attackers", @@ -4732,8 +4730,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND CommandLine LIKE \"%wmic%\" ESCAPE '\\' AND CommandLine LIKE \"%product where name=%\" ESCAPE '\\' AND CommandLine LIKE \"%call uninstall%\" ESCAPE '\\' AND CommandLine LIKE \"%/nointeractive%\" ESCAPE '\\' AND (CommandLine LIKE \"%Antivirus%\" ESCAPE '\\' OR CommandLine LIKE \"%Endpoint Security%\" ESCAPE '\\' OR CommandLine LIKE \"%Endpoint Detection%\" ESCAPE '\\' OR CommandLine LIKE \"%Crowdstrike Sensor%\" ESCAPE '\\' OR CommandLine LIKE \"%Windows Defender%\" ESCAPE '\\' OR CommandLine LIKE \"%VirusScan%\" ESCAPE '\\' OR CommandLine LIKE \"%Threat Protection%\" ESCAPE '\\' OR CommandLine LIKE \"%Endpoint Sensor%\" ESCAPE '\\'))" ] }, - {}, - {}, { "title": "Empire PowerShell Launch Parameters - 03174317", "description": "Detects suspicious powershell command line parameters used in Empire", @@ -4866,7 +4862,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (CommandLine LIKE \"%OjpGcm9tQmFzZTY0U3RyaW5n%\" ESCAPE '\\' OR CommandLine LIKE \"%o6RnJvbUJhc2U2NFN0cmluZ%\" ESCAPE '\\' OR CommandLine LIKE \"%6OkZyb21CYXNlNjRTdHJpbm%\" ESCAPE '\\'))" ] }, - {}, { "title": "Rar with Password or Compression Level - 08DB3133", "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", @@ -5234,7 +5229,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\powershell.exe\" ESCAPE '\\' AND CommandLine LIKE \"%Start-BitsTransfer%\" ESCAPE '\\')" ] }, - {}, { "title": "Regedit as Trusted Installer - 419E03DE", "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", @@ -6225,6 +6219,20 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\findstr.exe\" ESCAPE '\\' AND CommandLine LIKE \"%.lnk\" ESCAPE '\\')" ] }, + { + "title": "Monitoring Winget For LOLbin Execution - 6776E2F4", + "description": "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", + "author": "Sreeman", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (CommandLine LIKE \"%.%(_i)winget install (--m|-m).%\" ESCAPE '\\'))" + ] + }, { "title": "Capture Credentials with Rpcping.exe - 95A55062", "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", @@ -6298,8 +6306,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (CommandLine LIKE \"%\\\\calc.exe %\" ESCAPE '\\' OR ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND Image LIKE \"%\\\\calc.exe\" ESCAPE '\\' AND NOT (Image LIKE \"%\\\\Windows\\\\Sys%\" ESCAPE '\\'))))" ] }, - {}, - {}, { "title": "MSI Spawned Cmd and Powershell Spawned Processes - 7FA91A15", "description": "This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes", @@ -6394,7 +6400,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND (CommandLine LIKE \"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%\" ESCAPE '\\' OR CommandLine LIKE \"% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%\" ESCAPE '\\'))" ] }, - {}, { "title": "Always Install Elevated Windows Installer - DBA7F8D2", "description": "This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege", @@ -6976,7 +6981,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND CommandLine LIKE \"% /INJECTRUNNING %\" ESCAPE '\\')" ] }, - {}, { "title": "Suspicious Csc.exe Source File Folder - 67351E6F", "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", @@ -6991,7 +6995,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (Image LIKE \"%\\\\csc.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%\\\\AppData\\\\%\" ESCAPE '\\' OR CommandLine LIKE \"%\\\\Windows\\\\Temp\\\\%\" ESCAPE '\\')) AND NOT (ParentImage LIKE \"C:\\\\Program Files%\" ESCAPE '\\' OR (ParentImage LIKE \"%\\\\sdiagnhost.exe\" ESCAPE '\\' OR ParentImage LIKE \"%\\\\w3wp.exe\" ESCAPE '\\') OR (ParentCommandLine LIKE \"%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%\" ESCAPE '\\')))" ] }, - {}, { "title": "Suspicious TSCON Start - E3111F35", "description": "Detects a tscon.exe start as LOCAL SYSTEM", @@ -7367,7 +7370,7 @@ ], "level": "medium", "rule": [ - "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\bcdedit.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%delete%\" ESCAPE '\\' OR CommandLine LIKE \"%deletevalue%\" ESCAPE '\\' OR CommandLine LIKE \"%import%\" ESCAPE '\\'))" + "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\bcdedit.exe\" ESCAPE '\\' AND (CommandLine LIKE \"%delete%\" ESCAPE '\\' OR CommandLine LIKE \"%deletevalue%\" ESCAPE '\\' OR CommandLine LIKE \"%import%\" ESCAPE '\\' OR CommandLine LIKE \"%safeboot%\" ESCAPE '\\' OR CommandLine LIKE \"%network%\" ESCAPE '\\'))" ] }, { @@ -7691,7 +7694,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\cmd.exe\" ESCAPE '\\' AND CommandLine LIKE \"%http%\" ESCAPE '\\' AND CommandLine LIKE \"%://%\" ESCAPE '\\' AND CommandLine LIKE \"%\\%AppData\\%%\" ESCAPE '\\')" ] }, - {}, { "title": "Adwind RAT / JRAT - 9AE2C567", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", @@ -7765,6 +7767,19 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (((Image LIKE \"%\\\\takeown.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\cacls.exe\" ESCAPE '\\' OR Image LIKE \"%\\\\icacls.exe\" ESCAPE '\\') AND CommandLine LIKE \"%/grant%\" ESCAPE '\\') OR (Image LIKE \"%\\\\attrib.exe\" ESCAPE '\\' AND CommandLine LIKE \"%-r%\" ESCAPE '\\')))" ] }, + { + "title": "Dropping Of Password Filter DLL - 8A98ACFC", + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "author": "Sreeman", + "tags": [ + "attack.credential_access", + "attack.t1174" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND CommandLine LIKE \"%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%\" ESCAPE '\\' AND CommandLine LIKE \"%scecli\\\\0%\" ESCAPE '\\' AND CommandLine LIKE \"%reg add%\" ESCAPE '\\')" + ] + }, { "title": "Suspicious RDP Redirect Using TSCON - 9FDEE0C7", "description": "Detects a suspicious RDP session redirect using tscon.exe", @@ -8157,7 +8172,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (Image LIKE \"%\\\\wsmprovhost.exe\" ESCAPE '\\' OR ParentImage LIKE \"%\\\\wsmprovhost.exe\" ESCAPE '\\'))" ] }, - {}, { "title": "Run Whoami Showing Privileges - 3EA29598", "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", @@ -8186,7 +8200,6 @@ "SELECT * FROM logs WHERE ((EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND ((Image LIKE \"%\\\\rundll32.exe\" ESCAPE '\\') OR (Description LIKE \"%Windows-Hostprozess (Rundll32)%\" ESCAPE '\\')) AND (CommandLine LIKE \"%Default.GetString%\" ESCAPE '\\' OR CommandLine LIKE \"%FromBase64String%\" ESCAPE '\\'))" ] }, - {}, { "title": "Abusing Findstr for Defense Evasion - 37622ED3", "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", @@ -8213,7 +8226,6 @@ "SELECT * FROM logs WHERE (EventID = \"1\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\VBoxDrvInst.exe\" ESCAPE '\\' AND CommandLine LIKE \"%driver%\" ESCAPE '\\' AND CommandLine LIKE \"%executeinf%\" ESCAPE '\\')" ] }, - {}, { "title": "Devtoolslauncher.exe Executes Specified Binary - E6A7650F", "description": "The Devtoolslauncher.exe executes other binary", @@ -8580,8 +8592,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND ((ServiceName LIKE \"%fgexec%\" ESCAPE '\\' OR ServiceName LIKE \"%wceservice%\" ESCAPE '\\' OR ServiceName LIKE \"%wce service%\" ESCAPE '\\' OR ServiceName LIKE \"%pwdump%\" ESCAPE '\\' OR ServiceName LIKE \"%gsecdump%\" ESCAPE '\\' OR ServiceName LIKE \"%cachedump%\" ESCAPE '\\' OR ServiceName LIKE \"%mimikatz%\" ESCAPE '\\' OR ServiceName LIKE \"%mimidrv%\" ESCAPE '\\') OR (ImagePath LIKE \"%fgexec%\" ESCAPE '\\' OR ImagePath LIKE \"%dumpsvc%\" ESCAPE '\\' OR ImagePath LIKE \"%cachedump%\" ESCAPE '\\' OR ImagePath LIKE \"%mimidrv%\" ESCAPE '\\' OR ImagePath LIKE \"%gsecdump%\" ESCAPE '\\' OR ImagePath LIKE \"%servpw%\" ESCAPE '\\' OR ImagePath LIKE \"%pwdump%\" ESCAPE '\\')))" ] }, - {}, - {}, { "title": "Remote WMI ActiveScriptEventConsumers - 20832D8C", "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", @@ -8638,7 +8648,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND EventID = \"7045\" AND ServiceName IN (\"srservice\", \"ipvpn\", \"hkmsvc\"))" ] }, - {}, { "title": "SysKey Registry Keys Access - 0E28ECC3", "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", @@ -8781,7 +8790,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND AuditSourceName = \"VSSAudit\" AND (EventID = \"4904\" OR EventID = \"4905\"))" ] }, - {}, { "title": "T1047 Wmiprvse Wbemcomn DLL Hijack - E9057B0E", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", @@ -8866,7 +8874,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND (EventID = \"4624\" AND ((SubjectUserSid = \"S-1-0-0\" AND LogonType = \"3\" AND LogonProcessName = \"NtLmSsp\" AND KeyLength = \"0\") OR (LogonType = \"9\" AND LogonProcessName = \"seclogo\"))) AND NOT (AccountName = \"ANONYMOUS LOGON\"))" ] }, - {}, { "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos - 6F3E544C", "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", @@ -8895,7 +8902,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND EventID = \"16\" AND HiveName LIKE \"%\\\\AppData\\\\Local\\\\Temp\\\\SAM%\" ESCAPE '\\' AND HiveName LIKE \"%.dmp\" ESCAPE '\\')" ] }, - {}, { "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - 17FDA933", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", @@ -8927,7 +8933,6 @@ "SELECT * FROM logs WHERE (Channel = \"Microsoft-Windows-NTLM/Operational\" AND EventID = \"8002\" AND CallingProcessName LIKE \"%\" ESCAPE '\\')" ] }, - {}, { "title": "Admin User Remote Logon - 4A40A753", "description": "Detect remote login by Administrator user depending on internal pattern", @@ -8969,7 +8974,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4706\")" ] }, - {}, { "title": "COMPlus_ETWEnabled Registry Modification - A9F42D97", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", @@ -8983,7 +8987,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4657\" AND ObjectName LIKE \"%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\" ESCAPE '\\' AND ObjectValueName = \"ETWEnabled\" AND NewValue = \"0\")" ] }, - {}, { "title": "Local User Creation - EC51C58E", "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", @@ -8998,7 +9001,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4720\")" ] }, - {}, { "title": "Transferring Files with Credential Data via Network Shares - 2E79E1AF", "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", @@ -9074,7 +9076,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4624\" AND LogonType = \"9\" AND LogonProcessName = \"seclogo\" AND AuthenticationPackageName = \"Negotiate\")" ] }, - {}, { "title": "SCM Database Privileged Operation - D4E6315A", "description": "Detects non-system users performing privileged operation os the SCM database", @@ -9199,7 +9200,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND EventID = \"1033\" AND Source = \"Microsoft-Windows-DHCP-Server\")" ] }, - {}, { "title": "SAM Registry Hive Handle Request - DA0447A0", "description": "Detects handles requested to SAM registry hive", @@ -9777,8 +9777,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"4697\" AND ImagePath LIKE \"%tap0901%\" ESCAPE '\\')" ] }, - {}, - {}, { "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", @@ -9793,7 +9791,6 @@ "SELECT * FROM (SELECT *,count(*) AS agg FROM logs WHERE (Channel = \"Security\" AND EventID = \"5156\" AND DestinationPort IN (\"3268\", \"3269\")) GROUP BY SourceAddress) WHERE agg > 2000" ] }, - {}, { "title": "DPAPI Domain Backup Key Extraction - 1F38E4F2", "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", @@ -9837,6 +9834,21 @@ "SELECT * FROM (SELECT *,count(Account_Name) AS agg FROM logs WHERE (Channel = \"Security\" AND (EventID = \"4625\" AND Logon_Type = \"2\") AND NOT (Caller_Process_Name = \"-\")) GROUP BY Caller_Process_Name) WHERE agg > 10" ] }, + { + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms - D29BF0B4", + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "author": "Sreeman", + "tags": [ + "attack.t1204", + "attack.t1193", + "attack.execution", + "attack.initial_access" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (Channel = \"Security\" AND CommandLine LIKE \"%.SettingContent-ms%\" ESCAPE '\\' AND NOT ((FilePath LIKE \"%immersivecontrolpanel%\" ESCAPE '\\')))" + ] + }, { "title": "Impacket PsExec Execution - D8619FDA", "description": "Detects execution of Impacket's psexec.py.", @@ -10027,7 +10039,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND (EventID = \"4662\" AND AccessMask = \"0x100\" AND (Properties LIKE \"%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%\" ESCAPE '\\' OR Properties LIKE \"%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%\" ESCAPE '\\' OR Properties LIKE \"%89e95b76-444d-4c62-991a-0facbeda640c%\" ESCAPE '\\')) AND NOT (SubjectUserName LIKE \"%$\" ESCAPE '\\' OR SubjectUserName LIKE \"MSOL\\_%\" ESCAPE '\\'))" ] }, - {}, { "title": "Access to ADMIN$ Share - 3FB84A7C", "description": "Detects access to $ADMIN share", @@ -10083,7 +10094,6 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND (EventID = \"5145\" AND ShareName LIKE \"%C$\" ESCAPE '\\' AND AccessMask = \"0x2\") AND NOT (SubjectUserName LIKE \"%$\" ESCAPE '\\'))" ] }, - {}, { "title": "Generic Password Dumper Activity on LSASS - FA2DCF85", "description": "Detects process handle on LSASS process with certain access mask", @@ -10252,6 +10262,19 @@ "SELECT * FROM logs WHERE (Channel = \"Security\" AND EventID = \"5145\" AND ShareName LIKE \"\\\\%\\\\IPC$\" ESCAPE '\\' AND RelativeTargetName = \"atsvc\" AND Accesses LIKE \"%WriteData%\" ESCAPE '\\')" ] }, + { + "title": "Suspicious Werfault.exe Network Connection Outbound - 22CA2D0B", + "description": "Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.", + "author": "Sreeman", + "tags": [ + "attack.command_and_control", + "attack.t1571" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = \"3\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\") AND Image = \"werfault.exe\" AND NOT ((EventID = \"3\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND ParentImage = \"svchost.exe\" AND (DestinationIp LIKE \"104.42.151.234\" ESCAPE '\\' OR DestinationIp LIKE \"104.43.193.48\" ESCAPE '\\' OR DestinationIp LIKE \"52.255.188.83\" ESCAPE '\\' OR DestinationIp LIKE \"13.64.90.137\" ESCAPE '\\' OR DestinationIp LIKE \"168.61.161.212\" ESCAPE '\\' OR DestinationIp LIKE \"13.88.21.125\" ESCAPE '\\' OR DestinationIp LIKE \"40.88.32.150\" ESCAPE '\\' OR DestinationIp LIKE \"52.147.198.201\" ESCAPE '\\' OR DestinationIp LIKE \"52.239.207.100\" ESCAPE '\\' OR DestinationIp LIKE \"52.176.224.96\" ESCAPE '\\' OR DestinationIp LIKE \"2607:7700:0:24:0:1:287e:1894\" ESCAPE '\\' OR DestinationIp LIKE \"10.%\" ESCAPE '\\' OR DestinationIp LIKE \"192.168.%\" ESCAPE '\\' OR DestinationIp LIKE \"127.%\" ESCAPE '\\') AND (DestinationHostname LIKE \"%.windowsupdate.com%\" ESCAPE '\\' OR DestinationHostname LIKE \"%.microsoft.com%\" ESCAPE '\\'))))" + ] + }, { "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln - 755FEA55", "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", @@ -10349,8 +10372,6 @@ "SELECT * FROM logs WHERE (Channel = \"System\" AND Source = \"Microsoft-Windows-Ntfs\" AND EventID = \"98\" AND DeviceName LIKE \"%HarddiskVolumeShadowCopy%\" ESCAPE '\\')" ] }, - {}, - {}, { "title": "Possible DNS Rebinding - 97CEA82E", "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", @@ -10654,6 +10675,5 @@ "rule": [ "SELECT * FROM logs WHERE (EventID = \"15\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND Image LIKE \"%\\\\regedit.exe\" ESCAPE '\\')" ] - }, - {} + } ] \ No newline at end of file diff --git a/tools/genRules/genRules.py b/tools/genRules/genRules.py index 45c5d1b..2d9d552 100644 --- a/tools/genRules/genRules.py +++ b/tools/genRules/genRules.py @@ -68,6 +68,7 @@ def retrieveRule(ruleFile): pool.close() pool.join() + outputList = list(filter(None, outputList)) # Remove empty rules with open(args.output, 'w') as f: if args.rule is not None: json.dump([outputList], f, indent=4) diff --git a/zircolite.py b/zircolite.py index a96dde6..0327988 100755 --- a/zircolite.py +++ b/zircolite.py @@ -120,7 +120,7 @@ def extractEvtx(file, tmpDir, evtx_dumpBinary): except Exception as e: logging.error(f"{Fore.RED} [-] {e}") -def flattenJSON(file): +def flattenJSON(file, timeAfter, timeBefore): """ Flatten json object with nested keys into a single level. Returns the flattened json object @@ -153,7 +153,6 @@ def flatten(x, name=''): else: # Removing all annoying character from field name key = ''.join(e for e in name[:-1].split(".")[-1] if e.isalnum()) - #key = key.lower() JSONLine[key] = value # Generate the CREATE TABLE SQL statement if key.lower() not in keyDict: @@ -170,7 +169,13 @@ def flatten(x, name=''): flatten(json.loads(line)) except Exception as e: logging.debug(f'JSON ERROR : {e}') - JSONOutput.append(JSONLine) + # Handle timestamp filters + if timeAfter != "1970-01-01T00:00:00" and timeBefore != "9999-12-12T23:59:59": + timestamp = time.strptime(JSONLine["SystemTime"].split(".")[0].replace("Z",""), '%Y-%m-%dT%H:%M:%S') + if timestamp > timeAfter and timestamp < timeBefore: + JSONOutput.append(JSONLine) + else: + JSONOutput.append(JSONLine) JSONLine = {} return {"dbFields": fieldStmt, "dbValues": JSONOutput} @@ -342,22 +347,15 @@ def saveDbToDisk(dbConnection, dbFilename): # MAIN() ################################################################ if __name__ == '__main__': - print(""" - ███████╗██╗██████╗ ██████╗ ██████╗ ██╗ ██╗████████╗███████╗ - ╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║ ██║╚══██╔══╝██╔════╝ - ███╔╝ ██║██████╔╝██║ ██║ ██║██║ ██║ ██║ █████╗ - ███╔╝ ██║██╔══██╗██║ ██║ ██║██║ ██║ ██║ ██╔══╝ - ███████╗██║██║ ██║╚██████╗╚██████╔╝███████╗██║ ██║ ███████╗ - ╚══════╝╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚══════╝ - """) # Init Args handling tmpDir = "tmp-" + ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8)) parser = argparse.ArgumentParser() parser.add_argument("-e", "--evtx", help="EVTX log file or directory where EVTX log files are stored in JSON or EVTX format", type=str, required=True) - parser.add_argument("-s", "--select", help="Only EVTX files containing the provided string will be used. If there is/are exclusion(s) (--avoid) they will be handled after selection", action='append', nargs='+') - parser.add_argument("-a", "--avoid", help="EVTX files containing the provided string will NOT be used", action='append', nargs='+') + parser.add_argument("-s", "--select", help="Only EVTX files containing the provided string will be used. If there is/are exclusion(s) ('--avoid') they will be handled after selection", action='append', nargs='+') + parser.add_argument("-a", "--avoid", help="EVTX files containing the provided string will NOT be used", nargs='+') parser.add_argument("-r", "--ruleset", help="JSON File containing SIGMA rules", type=str, required=True) + parser.add_argument("-R", "--rulefilter", help="Remove rule from ruleset, match is done on rule title. The easier is to provide a CRC32 (check your ruleset to find it)", action='append', nargs='*') parser.add_argument("-c", "--config", help="JSON File containing field mappings and exclusions", type=str, default="config/fieldMappings.json") parser.add_argument("-o", "--outfile", help="JSON file that will contains all detected events", type=str, default="detected_events.json") parser.add_argument("-f", "--fileext", help="EVTX file extension", type=str, default="evtx") @@ -366,6 +364,8 @@ def saveDbToDisk(dbConnection, dbFilename): parser.add_argument("-d", "--dbfile", help="Save data as a SQLite Db to the specified file on disk", type=str) parser.add_argument("-l", "--logfile", help="Log file name", default="zircolite.log", type=str) parser.add_argument("-j", "--jsononly", help="If logs files are already in JSON lines format ('jsonl' in evtx_dump)", action="store_true") + parser.add_argument("-A", "--after", help="Zircolite will only work on events that happened after the provided timestamp (UTC). Format : 1970-01-01T00:00:00", type=str, default="1970-01-01T00:00:00") + parser.add_argument("-B", "--before", help="Zircolite will only work on events that happened before the provided timestamp (UTC). Format : 1970-01-01T00:00:00", type=str, default="9999-12-12T23:59:59") parser.add_argument("--remote", help="Forward results to a HTTP server, please provide the full address e.g http://address:port/uri (except for Splunk)", type=str) parser.add_argument("--token", help="Use this to provide Splunk HEC Token", type=str) parser.add_argument("--stream", help="By default event forwarding is done at the end, this option activate forwarding events when detected", action="store_true") @@ -379,6 +379,19 @@ def saveDbToDisk(dbConnection, dbFilename): # Init logging consoleLogger = initLogger(args.debug, args.logfile) + + logging.info(""" + ███████╗██╗██████╗ ██████╗ ██████╗ ██╗ ██╗████████╗███████╗ + ╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║ ██║╚══██╔══╝██╔════╝ + ███╔╝ ██║██████╔╝██║ ██║ ██║██║ ██║ ██║ █████╗ + ███╔╝ ██║██╔══██╗██║ ██║ ██║██║ ██║ ██║ ██╔══╝ + ███████╗██║██║ ██║╚██████╗╚██████╔╝███████╗██║ ██║ ███████╗ + ╚══════╝╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚══════╝ + """) + + # flatten array of "rulefilter" arguments + if args.rulefilter: args.rulefilter = [item for sublist in args.rulefilter for item in sublist] + # Init Forwarding forwarder = eventForwarder(args.remote, args.token) if args.remote is not None: @@ -388,6 +401,12 @@ def saveDbToDisk(dbConnection, dbFilename): logging.info("[+] Checking prerequisites") + # Checking provided timestamps + try: + eventsAfter = time.strptime(args.after, '%Y-%m-%dT%H:%M:%S') + eventsBefore = time.strptime(args.before, '%Y-%m-%dT%H:%M:%S') + except: + quitOnError(f"{Fore.RED} [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'") # Cheking for evtx_dump binaries evtx_dumpBinary = getOSExternalTools() checkIfExists(evtx_dumpBinary, f"{Fore.RED} [-] Cannot find Evtx_dump") @@ -456,7 +475,7 @@ def saveDbToDisk(dbConnection, dbFilename): quitOnError(f"{Fore.RED} [-] No JSON files found.") for evtxJSON in tqdm(EVTXJSONList, colour="yellow"): if os.stat(evtxJSON).st_size != 0: - results = flattenJSON(evtxJSON) + results = flattenJSON(evtxJSON, eventsAfter, eventsBefore) fieldStmt += results["dbFields"] valuesStmt += results["dbValues"] @@ -484,6 +503,11 @@ def saveDbToDisk(dbConnection, dbFilename): logging.info(f"[+] Loading ruleset from : {args.ruleset}") with open(args.ruleset) as f: ruleset = json.load(f) + # Remove empty rule and remove filtered rules + ruleset = list(filter(None, ruleset)) + if args.rulefilter is not None: + ruleset = [rule for rule in ruleset if not any(ruleFilter in rule["title"] for ruleFilter in args.rulefilter)] + logging.info(f"[+] Executing ruleset - {len(ruleset)} rules") # Results are writen upon detection to allow analysis during execution and to avoid loosing results in case of error. fullResults = [] @@ -492,7 +516,7 @@ def saveDbToDisk(dbConnection, dbFilename): with tqdm(ruleset, colour="yellow") as ruleBar: f.write('[') for rule in ruleBar: # for each rule in ruleset - if args.showall and "title" in rule: ruleBar.write(f'{Fore.BLUE} - {rule["title"]}') # Print all rules + if args.showall: ruleBar.write(f'{Fore.BLUE} - {rule["title"]}') # Print all rules ruleResults = executeRule(rule) if ruleResults != {}: ruleBar.write(f'{Fore.CYAN} - {ruleResults["title"]} : {ruleResults["count"]} events') @@ -513,7 +537,7 @@ def saveDbToDisk(dbConnection, dbFilename): else: f.write('[') for rule in ruleset: - if args.showall and "title" in rule: ruleBar.write(f'{Fore.BLUE} - {rule["title"]}') # Print all rules + if args.showall: logging.info(f'{Fore.BLUE} - {rule["title"]}') # Print all rules ruleResults = executeRule(rule) if ruleResults != {}: logging.info(f'{Fore.CYAN} - {ruleResults["title"]} : {ruleResults["count"]} events')